diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 889fc87..4ce4d28 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ jobs:
         pocket-ic-version: [ 9.0.2 ]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       # This is needed for building state-machine-tests
       - name: Install proto
@@ -18,7 +18,7 @@ jobs:
           sudo apt install -y protobuf-compiler libprotobuf-dev
 
       - name: Cache Cargo
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.cargo/registry
@@ -33,7 +33,7 @@ jobs:
           rustup show
 
       - name: Cache PocketIC
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: pocket-ic
           key: ${{ matrix.pocket-ic-version }}-pocket-ic-binary
diff --git a/.github/workflows/release-with-github.yml b/.github/workflows/release-with-github.yml
index bd57f56..a5bf9c5 100644
--- a/.github/workflows/release-with-github.yml
+++ b/.github/workflows/release-with-github.yml
@@ -33,12 +33,12 @@ jobs:
     outputs:
       nev_version: ${{ steps.determine_version.outputs.NEW_VERSION }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
       - name: Use Rust version from rust-toolchain.toml
         run: rustup show
-      - uses: cargo-bins/cargo-binstall@main
+      - uses: cargo-bins/cargo-binstall@6ed12bbaae779f3fd3ba1477bc9a61a2535a3bb2 # main
       - name: Install dependencies
         run: cargo binstall cargo-release ripgrep -y
       - name: Determine new version number by dry-running `cargo-release`
@@ -88,7 +88,7 @@ jobs:
     needs: [create-release, call-release-binaries-workflow]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Open the release PR
         env:
           GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2bd6f1b..b45d438 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -71,7 +71,7 @@ jobs:
           echo "INFO: The release tag is: $TAG"
           echo "TAG=$TAG" >> "$GITHUB_ENV"
           echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           ref: ${{ env.TAG }}
       - name: Install Rust
@@ -79,7 +79,7 @@ jobs:
       - id: create-release
         run: gh release create ${{ env.TAG }} --draft --prerelease="true" --title="${{ env.TAG }}" --notes="TBD"
       - name: Install dfx
-        uses: dfinity/setup-dfx@main
+        uses: dfinity/setup-dfx@e50c04f104ee4285ec010f10609483cf41e4d365 # main
       - name: Build WASM
         run: |
           dfx build --check