The only way to 'harden your github actions' is to not use github actions.