diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
index 657c48c..5d06814 100644
--- a/.github/workflows/pr-checks.yaml
+++ b/.github/workflows/pr-checks.yaml
@@ -6,8 +6,8 @@ jobs:
   commitlint:
     runs-on: zon-ubuntu-general-dind
     steps:
-      - uses: actions/checkout@v4
-      - uses: wagoid/commitlint-github-action@v5
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - uses: wagoid/commitlint-github-action@9763196e10f27aef304c9b8b660d31d97fce0f99 # v5
 
   tests:
     runs-on: zon-ubuntu-general-dind
@@ -17,7 +17,7 @@ jobs:
 
     steps:
     - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
     - name: Call baseproject GHA
       id: baseproject
@@ -36,7 +36,7 @@ jobs:
       run: kubectl create configmap test-runner-${{ github.run_id }}-${{ github.run_attempt }} --from-literal=foo=bar
 
     - name: '[TEST] Read example value from Vault'
-      uses: hashicorp/vault-action@v3
+      uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3
       with:
         url: ${{ steps.baseproject.outputs.vault_addr }}
         token: ${{ steps.baseproject.outputs.vault_token }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 80d8ae5..7a14bb0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,10 +15,10 @@ jobs:
 
     steps:
       - id: release
-        uses: google-github-actions/release-please-action@v4
+        uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
         with:
           release-type: simple
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       - name: tag major and minor versions
         if: ${{ steps.release.outputs.release_created }}
         run: |
diff --git a/action.yml b/action.yml
index dedc431..2a1d08f 100644
--- a/action.yml
+++ b/action.yml
@@ -99,7 +99,7 @@ runs:
 
     - name: Retrieve Baseproject Environment Config from Vault
       id: raw-config
-      uses: hashicorp/vault-action@v3.0.0
+      uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
       with:
         url: https://vault.ops.zeit.de
         method: jwt
@@ -128,7 +128,7 @@ runs:
 
     - name: Retrieve zon-ops GitHub user GPG key
       id: zon-ops-gpg
-      uses: hashicorp/vault-action@v3.0.0
+      uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
       with:
         url: https://vault.ops.zeit.de
         method: jwt
@@ -137,7 +137,7 @@ runs:
         secrets: zon/v1/github/zon-ops gpg_key_private
 
     - name: Import GPG key for zon-ops user
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6
       continue-on-error: true
       with:
         gpg_private_key: ${{ steps.zon-ops-gpg.outputs.gpg_key_private }}
@@ -149,7 +149,7 @@ runs:
     - name: GCloud OIDC Auth
       id: auth
       if: inputs.google_auth == 'true' || inputs.gke_auth == 'true' || inputs.gcr_auth == 'true' || inputs.gar_docker_auth == 'true'
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2
       with:
         token_format: 'access_token'
         workload_identity_provider: projects/161854031382/locations/global/workloadIdentityPools/github-pool/providers/github-actions-provider
@@ -163,7 +163,7 @@ runs:
 
     - name: Write GKE Credentials to kubeconfig
       if: inputs.gke_auth == 'true'
-      uses: google-github-actions/get-gke-credentials@v2.1.0
+      uses: google-github-actions/get-gke-credentials@c02be8662df01db62234e9b9cff0765d1c1827ae # v2.1.0
       with:
         cluster_name: ${{ steps.baseproject-config.outputs.cluster_name }}
         project_id: ${{ steps.baseproject-config.outputs.cluster_project }}
@@ -175,7 +175,7 @@ runs:
 
     - name: Login to GCR
       if: inputs.gcr_auth == 'true'
-      uses: docker/login-action@v3
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
       with:
         registry: eu.gcr.io
         username: oauth2accesstoken
@@ -183,7 +183,7 @@ runs:
 
     - name: Login to Docker GAR
       if: inputs.gar_docker_auth == 'true'
-      uses: docker/login-action@v3
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
       with:
         registry: europe-west3-docker.pkg.dev
         username: oauth2accesstoken
@@ -196,7 +196,7 @@ runs:
     - name: Export a Vault token
       id: vault-export-token
       if: inputs.vault_export_token == 'true'
-      uses: hashicorp/vault-action@v3.0.0
+      uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
       with:
         url: https://vault.ops.zeit.de
         method: jwt
@@ -226,9 +226,9 @@ runs:
         echo "setup_buildx=$setup_buildx" >> $GITHUB_ENV
     - name: Setup docker buildx container
       if: env.setup_buildx == 'true'
-      uses: docker/setup-buildx-action@v3.1.0
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
     # Support `docker buildx build --cache-[from}to] type=gha` directly,
     # and not just via docker/build-push-action.
     - name: Setup docker buildx environment
       if: env.setup_buildx == 'true'
-      uses: crazy-max/ghaction-github-runtime@v3.0.0
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0