diff --git a/.github/workflows/action-pin.yaml b/.github/workflows/action-pin.yaml
new file mode 100644
index 0000000000..feb3cb4ba0
--- /dev/null
+++ b/.github/workflows/action-pin.yaml
@@ -0,0 +1,19 @@
+name: Action Pin
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  check-action-pin:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@0901cf7b71c7ea6261ec69a3dc2bd3f9264f893e # v3.0.12
+        with:
+          allowlist: |
+            slsa-framework/slsa-github-generator
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000000..fbd5087f24
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,16 @@
+name: Action Lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  action-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: actionlint
+        uses: raven-actions/actionlint@01fce4f43a270a612932cb1c64d40505a029f821 # v2.0.0
diff --git a/.github/workflows/linelint.yml b/.github/workflows/linelint.yml
index 2a3fd997b0..03b814c839 100644
--- a/.github/workflows/linelint.yml
+++ b/.github/workflows/linelint.yml
@@ -14,5 +14,5 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Linelint
-        uses: fernandrone/linelint@0.0.4
+        uses: fernandrone/linelint@8136e0fa9997122d80f5f793e0bb9a45e678fbb1 # 0.0.4
         id: linelint
diff --git a/.github/workflows/markdown_link_check.yml b/.github/workflows/markdown_link_check.yml
index a428b1259c..b2c6ffb849 100644
--- a/.github/workflows/markdown_link_check.yml
+++ b/.github/workflows/markdown_link_check.yml
@@ -13,7 +13,7 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
       with:
         use-quiet-mode: 'yes'