diff --git a/.github/workflows/ci-update-dist.yml b/.github/workflows/ci-update-dist.yml
index d4c088f..56a043b 100644
--- a/.github/workflows/ci-update-dist.yml
+++ b/.github/workflows/ci-update-dist.yml
@@ -54,7 +54,7 @@ jobs:
         cp -r sources/dist .
 
     - name: Import GPG key to sign commits
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
       with:
         gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
         passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}
diff --git a/.github/workflows/integ-test-dependency-graph.yml b/.github/workflows/integ-test-dependency-graph.yml
index 6c8fadf..9f6aa57 100644
--- a/.github/workflows/integ-test-dependency-graph.yml
+++ b/.github/workflows/integ-test-dependency-graph.yml
@@ -178,7 +178,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
     - name: Download dependency-graph artifact
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         path: downloaded-dependency-graphs
         pattern: dependency-graph_*dependency-graph-generate-submit-and-upload.json
diff --git a/.github/workflows/update-checksums-file.yml b/.github/workflows/update-checksums-file.yml
index 3efec3d..2ae67f4 100644
--- a/.github/workflows/update-checksums-file.yml
+++ b/.github/workflows/update-checksums-file.yml
@@ -38,7 +38,7 @@ jobs:
         working-directory: sources
 
       - name: Import GPG key to sign commits
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
         with:
           gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
           passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}