diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 04908a9..7a6ac17 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     environment: release
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v5
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: 17
           distribution: temurin
@@ -23,11 +23,11 @@ jobs:
           TAG=${{ github.event.release.tag_name }}
           mvn versions:set -DnewVersion=${TAG#v}
       - name: Create Maven settings.xml
-        uses: s4u/maven-settings-action@v4.0.0
+        uses: s4u/maven-settings-action@894661b3ddae382f1ae8edbeab60987e08cf0788 # v4.0.0
         with:
           servers: '[{"id": "central", "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}", "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"}]'
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
         with:
           gpg_private_key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
diff --git a/.github/workflows/summary.yaml b/.github/workflows/summary.yaml
index d8339af..5ef3d0f 100644
--- a/.github/workflows/summary.yaml
+++ b/.github/workflows/summary.yaml
@@ -10,7 +10,7 @@ jobs:
       checks: read
     steps:
       - name: Wait for all triggered status checks
-        uses: poseidon/wait-for-status-checks@v0.6.0
+        uses: poseidon/wait-for-status-checks@899c768d191b56eef585c18f8558da19e1f3e707 # v0.6.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           ignore_pattern: ^codecov/.+
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index fba0b42..a2ad806 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -13,8 +13,8 @@ jobs:
   check-spotless:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-java@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: 21
           distribution: temurin
@@ -24,15 +24,15 @@ jobs:
   test-coverage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-java@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: 17
           distribution: temurin
       - name: Build and test with Maven
         run: mvn -B verify -P coverage
       - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -44,8 +44,8 @@ jobs:
         java: [17, 21]
         spring-boot: [3.0.13, 3.1.12, 3.2.12, 3.3.8, 3.4.3, 3.5.9]
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-java@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: ${{ matrix.java }}
           distribution: temurin