diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 1307ee80..19938a82 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -37,13 +37,13 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
 
     - name: Canary TLS test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index 0518582d..fb0f5b24 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -20,4 +20,4 @@ jobs:
             int.api.stepsecurity.io:443
 
       - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int
diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml
index a863ff8d..907a2a0f 100644
--- a/.github/workflows/publish-immutable-actions.yml
+++ b/.github/workflows/publish-immutable-actions.yml
@@ -22,7 +22,7 @@ jobs:
           egress-policy: audit
 
       - name: Checking out
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.4
\ No newline at end of file
diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml
index 20fc63ab..e00c4bd3 100644
--- a/.github/workflows/recurring-int-tests.yml
+++ b/.github/workflows/recurring-int-tests.yml
@@ -18,7 +18,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
@@ -33,7 +33,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e27ded9e..f5b79947 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml
index a233b749..0b67b3f6 100644
--- a/.github/workflows/runs-on.yml
+++ b/.github/workflows/runs-on.yml
@@ -14,7 +14,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -23,7 +23,7 @@ jobs:
             
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
             
       - name: Run outbound calls from host
         run: |
@@ -43,7 +43,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -56,7 +56,7 @@ jobs:
             security.ubuntu.com:80
          
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run outbound calls from within Docker container
         continue-on-error: true
@@ -89,7 +89,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
             security.ubuntu.com:80
             
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Build Docker image and test outbound calls during build
         continue-on-error: true
@@ -137,7 +137,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -152,7 +152,7 @@ jobs:
             
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run long-running Docker container with outbound calls
         continue-on-error: true