diff --git a/.github/workflows/build_docker.yaml b/.github/workflows/build_docker.yaml
index 6bffd52986..14eb46f651 100644
--- a/.github/workflows/build_docker.yaml
+++ b/.github/workflows/build_docker.yaml
@@ -47,7 +47,7 @@ jobs:
     - name: Set up QEMU
       uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
     - name: Login to GHCR
       uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
@@ -66,7 +66,7 @@ jobs:
           ${{ inputs.extra_tags }}
         labels: ${{ inputs.labels }}
     - name: Build and push
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
       with:
         context: .
         file: ${{ inputs.image_file }}
diff --git a/.github/workflows/dependendy-review.yml b/.github/workflows/dependendy-review.yml
index 2166876db9..1bbf4279c4 100644
--- a/.github/workflows/dependendy-review.yml
+++ b/.github/workflows/dependendy-review.yml
@@ -18,4 +18,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 7fdcd0bdbd..e5eae51aa3 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -75,7 +75,7 @@ jobs:
       run: echo "${{needs.gomod.outputs.gomod}}" > go.mod
     - name: restore_gosum
       run: echo "${{needs.gomod.outputs.gosum}}" > go.sum
-    - uses: helm/kind-action@v1.10.0
+    - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
     - run: |
         make install-csi-hostpath-driver
         make install-minio
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 848f39cf59..90808e8ac7 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -91,7 +91,7 @@ jobs:
         export HELM_RELEASE_REPO_INDEX=https://charts.kanister.io/
         make package-helm VERSION=${RELEASE_TAG}
     - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/free-disk-space@main
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
     - name: gorelease
       run: make gorelease
       env:
diff --git a/.github/workflows/triage-issues.yaml b/.github/workflows/triage-issues.yaml
index 59aea954a1..919aeb1281 100644
--- a/.github/workflows/triage-issues.yaml
+++ b/.github/workflows/triage-issues.yaml
@@ -19,13 +19,13 @@ jobs:
     steps:
     -
       name: Add label
-      uses: actions-ecosystem/action-add-labels@v1.1.3
+      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
       with:
         labels: "triage"
         github_token: ${{ secrets.GITHUB_TOKEN }}
     -
       name: Add comment
-      uses: actions-ecosystem/action-create-comment@v1.0.2
+      uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1.0.2
       if: github.event.action == 'opened'
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -37,7 +37,7 @@ jobs:
           If you haven't already, please take a moment to review our project's [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
     -
       name: Update project
-      uses: alex-page/github-project-automation-plus@v0.9.0
+      uses: alex-page/github-project-automation-plus@303f24a24c67ce7adf565a07e96720faf126fe36 # v0.9.0
       with:
         repo-token: ${{ secrets.GH_TOKEN }} # must use a PAT here
         project: Kanister
diff --git a/.github/workflows/triage-prs.yaml b/.github/workflows/triage-prs.yaml
index e03fae2960..3a9f2068b5 100644
--- a/.github/workflows/triage-prs.yaml
+++ b/.github/workflows/triage-prs.yaml
@@ -20,7 +20,7 @@ jobs:
     steps:
     -
       name: Comment
-      uses: actions-ecosystem/action-create-comment@v1.0.2
+      uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1.0.2
       # Avoid adding a comment when the PR is on the same repo.
       if: github.event.action == 'opened' && github.event.pull_request.head.repo.fork
       with:
@@ -31,7 +31,7 @@ jobs:
           If you haven't already, please take a moment to review our project [contributing guideline](https://github.com/kanisterio/kanister/blob/master/CONTRIBUTING.md) and [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
     -
       name: Update status in project
-      uses: alex-page/github-project-automation-plus@v0.9.0
+      uses: alex-page/github-project-automation-plus@303f24a24c67ce7adf565a07e96720faf126fe36 # v0.9.0
       # This only works for PRs opened in the same repo and not by dependabot.
       # Other PRs don't get the necessary credentials.
       if: github.repository == 'kanisterio/kanister' && !github.event.pull_request.head.repo.fork