diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 07e4401..b437f78 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -10,11 +10,11 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
-      - uses: actions/cache@v3
+      - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
         with:
           path: |
             ~/.cache/pip
@@ -35,7 +35,7 @@ jobs:
           .venv/bin/python3 -m pip install -Ur .github/requirements.txt
       - run: .venv/bin/gitlint --commits "origin/$GITHUB_BASE_REF..HEAD"
         if: github.event_name == 'pull_request'
-      - uses: pre-commit/action@v3.0.0
+      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0
 
   test:
     runs-on: ${{ matrix.os }}
@@ -61,8 +61,8 @@ jobs:
             os: ubuntu-20.04
             extra-deps: "'virtualenv<20.22.0'"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           # >= 3.11 to ensure there's a recent one to run nox with
           # (assumption: last one listed ends up as "python3")
@@ -74,7 +74,7 @@ jobs:
           # on older versions (e.g. 3.5) that do not have pypi.org CA certs in
           # baseline pip's chain
           PIP_CERT: /etc/ssl/certs/ca-certificates.crt
-      - uses: actions/cache@v3
+      - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
         with:
           path: |
             ~/.cache/pip
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9f7925c..224b8a4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ jobs:
   release_please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4
         id: release_please
         with:
           config-file: .github/release-please-config.json
@@ -23,10 +23,10 @@ jobs:
     needs: release_please
     if: needs.release_please.outputs.release_created
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ needs.release_please.outputs.sha }}
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
       - name: Create release assets
@@ -35,6 +35,6 @@ jobs:
           python3 -m pip install -U setuptools wheel
           python3 setup.py sdist bdist_wheel
           ls dist
-      - uses: pypa/gh-action-pypi-publish@v1.4.2
+      - uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 # v1.4.2
         with:
           password: ${{ secrets.PYPI_API_TOKEN }}