diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml
index 5bbc82d37..0593574d7 100644
--- a/.github/workflows/check-nix-format.yml
+++ b/.github/workflows/check-nix-format.yml
@@ -19,13 +19,13 @@ jobs:
     name: nixfmt-check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
       - name: Calculate changed files
         id: changed-files
         run: echo "changed_files=$(git diff --name-only -r HEAD^1 HEAD | xargs)" >> $GITHUB_OUTPUT
-      - uses: cachix/install-nix-action@v30
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           extra_nix_config: sandbox = true
           nix_path: nixpkgs=channel:nixpkgs-unstable
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index df5e23339..6615c47ef 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -10,8 +10,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: cachix/install-nix-action@v30
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
         nix_path: nixpkgs=channel:nixos-unstable
         extra_nix_config: |
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 49456f550..b7b7a9df6 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -17,14 +17,14 @@ jobs:
     if: github.event_name != 'push' || !endsWith(github.actor, '[bot]')
     steps:
     - id: get_workflow_token
-      uses: peter-murray/workflow-application-token-action@v4.0.1
+      uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343 # v4.0.1
       with:
         application_id: '${{ secrets.GH_APPLICATION_ID }}'
         application_private_key: '${{ secrets.GH_APPLICATION_PRIVATE_KEY }}'
         permissions: "contents:write"
         revoke_token: true
-    - uses: actions/checkout@v4
-    - uses: cachix/install-nix-action@v30
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
         nix_path: nixpkgs=channel:nixos-unstable
         extra_nix_config: |
@@ -40,18 +40,18 @@ jobs:
         git pull --rebase origin ${{ github.event.repository.default_branch }}
       env:
         GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
-    - uses: CasperWA/push-protected@v2
+    - uses: CasperWA/push-protected@74d25b8aa10e0c29024138735d32f3c0b75f9279 # v2
       with:
         token: ${{ steps.get_workflow_token.outputs.token }}
         branch: ${{ github.event.repository.default_branch }}
     - name: Dispatch NUR-combined update
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
       with:
         token: ${{ steps.get_workflow_token.outputs.token }}
         repository: nix-community/nur-combined
         event-type: nur_update
     - name: Dispatch NUR-search update
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
       with:
         token: ${{ steps.get_workflow_token.outputs.token }}
         repository: nix-community/nur-search