diff --git a/.github/workflows/label-enforcer.yaml b/.github/workflows/label-enforcer.yaml
index e1969530..43d51da2 100644
--- a/.github/workflows/label-enforcer.yaml
+++ b/.github/workflows/label-enforcer.yaml
@@ -10,6 +10,6 @@ jobs:
       pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR
     runs-on: ubuntu-latest
     steps:
-    - uses: TimonVS/pr-labeler-action@v5
+    - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr-workflow.yaml b/.github/workflows/pr-workflow.yaml
index 25577a18..f00716a0 100644
--- a/.github/workflows/pr-workflow.yaml
+++ b/.github/workflows/pr-workflow.yaml
@@ -11,10 +11,10 @@ jobs:
     name: Linting & checking uncommitted changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
       - name: Setup access for private go modules
@@ -22,7 +22,7 @@ jobs:
           git config --global url.'https://${{ secrets.GH_REPO_READ_TOKEN }}@github.com'.insteadOf 'https://github.com'
       - name: Install buf plugins
         run: make buf/plugins
-      - uses: bufbuild/buf-action@v1
+      - uses: bufbuild/buf-action@fd21066df7214747548607aaa45548ba2b9bc1ff # v1.4.0
         with:
           # Don't push the schema to the Buf Schema Registry
           push: false
@@ -30,13 +30,13 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       # make sure the PR includes the updated generated code.
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       - name: "Generate code"
         run: make generate
       - name: "Compile Go files"
         run: make build-go
       - name: "Check uncommited changes"
-        uses: CatChen/check-git-status-action@v2
+        uses: CatChen/check-git-status-action@cc5a79733c441f67cd0cd076de116cd2eebcebfe # v2.1.3
         with:
           fail-if-not-clean: true
           request-changes-if-not-clean: true
@@ -62,7 +62,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           fetch-tags: true
diff --git a/.github/workflows/release-draft.yaml b/.github/workflows/release-draft.yaml
index 17573353..c20d6d69 100644
--- a/.github/workflows/release-draft.yaml
+++ b/.github/workflows/release-draft.yaml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Update Release Draft
-        uses: release-drafter/release-drafter@v7
+        uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
         with:
           disable-autolabeler: true
           commitish: main
diff --git a/.github/workflows/release-workflow.yaml b/.github/workflows/release-workflow.yaml
index 292ddeb8..157a9a79 100644
--- a/.github/workflows/release-workflow.yaml
+++ b/.github/workflows/release-workflow.yaml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Publish packages
         uses: ./.github/actions/publish-packages
@@ -40,7 +40,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Tag Release
         run: |
@@ -50,7 +50,7 @@ jobs:
           git push origin tag "$VERSION"
 
       - name: Publish Release Notes
-        uses: release-drafter/release-drafter@v7
+        uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
         with:
           disable-autolabeler: true
           commitish: ${{ github.ref }}
diff --git a/.github/workflows/spelling.yaml b/.github/workflows/spelling.yaml
index d90bfd8c..52cce4a5 100644
--- a/.github/workflows/spelling.yaml
+++ b/.github/workflows/spelling.yaml
@@ -92,7 +92,7 @@ jobs:
     steps:
     - name: check-spelling
       id: spelling
-      uses: check-spelling/check-spelling@main
+      uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
       with:
         suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
         checkout: true
@@ -124,7 +124,7 @@ jobs:
     if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
     steps:
     - name: comment
-      uses: check-spelling/check-spelling@main
+      uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
       with:
         checkout: true
         spell_check_this: check-spelling/spell-check-this@prerelease
@@ -142,7 +142,7 @@ jobs:
     if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
     steps:
     - name: comment
-      uses: check-spelling/check-spelling@main
+      uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
       with:
         checkout: true
         spell_check_this: check-spelling/spell-check-this@prerelease
@@ -166,7 +166,7 @@ jobs:
       cancel-in-progress: false
     steps:
     - name: apply spelling updates
-      uses: check-spelling/check-spelling@main
+      uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
       with:
         experimental_apply_changes_via_bot: 1
         checkout: true