diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
index fd2cf4b77..699e2092d 100644
--- a/.github/workflows/container-build.yml
+++ b/.github/workflows/container-build.yml
@@ -23,16 +23,16 @@ jobs:
     env:
       MATRIX_ARCHITECTURE: ${{ inputs.architecture }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Set up QEMU
       if: inputs.architecture != 'linux/amd64' && inputs.architecture != 'linux/arm64'
-      uses: docker/setup-qemu-action@v3.4.0
+      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       with:
         platforms: ${{ inputs.architecture }}
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
@@ -42,13 +42,13 @@ jobs:
     - name: Configure Docker build
       run: .github/bin/get-buildx-args
     - name: Cache
-      uses: actions/cache@v4
+      uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
       id: cache
       with:
         path: uv-cache
         key: uv-cache-${{ hashFiles('Dockerfile') }}-${{ inputs.architecture }}
     - name: inject cache into docker
-      uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+      uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
       with:
         cache-map: |
           {
diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml
index ed48fbcda..550a64322 100644
--- a/.github/workflows/container-ci.yml
+++ b/.github/workflows/container-ci.yml
@@ -131,11 +131,11 @@ jobs:
     env:
       MATRIX_ARCHITECTURE: linux/amd64
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
@@ -147,15 +147,15 @@ jobs:
     - name: List Docker images
       run: docker image ls --all
     - name: Checkout the code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Anchore scan action
-      uses: anchore/scan-action@v6
+      uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6
       id: scan
       with:
         image: weblate/weblate:test
         fail-build: false
     - name: Upload Anchore Scan Report
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
       with:
         sarif_file: ${{ steps.scan.outputs.sarif }}
 
@@ -170,11 +170,11 @@ jobs:
     env:
       MATRIX_ARCHITECTURE: linux/amd64
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
@@ -186,9 +186,9 @@ jobs:
     - name: List Docker images
       run: docker image ls --all
     - name: Checkout the code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@0.29.0
+      uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
       env:
         TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
       with:
@@ -199,10 +199,10 @@ jobs:
         severity: CRITICAL,HIGH
 
     - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
       with:
         sarif_file: trivy-results.sarif
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
       with:
         name: Trivy scan SARIF
         path: trivy-results.sarif
@@ -216,15 +216,15 @@ jobs:
     - revisions
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3.4.0
+      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       with:
         platforms: all
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
@@ -264,15 +264,15 @@ jobs:
     if: ${{ (startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main')) && github.repository == 'WeblateOrg/docker' }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3.4.0
+      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       with:
         platforms: all
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
@@ -303,21 +303,21 @@ jobs:
       DOCKER_IMAGE: ghcr.io/weblateorg/weblate
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3.4.0
+      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       with:
         platforms: all
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
     - name: Login to GitHub Container Registry
       if: ${{ github.event_name != 'pull_request'}}
-      uses: docker/login-action@v3
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
diff --git a/.github/workflows/container-test.yml b/.github/workflows/container-test.yml
index 93681ef0c..64dc6ee34 100644
--- a/.github/workflows/container-test.yml
+++ b/.github/workflows/container-test.yml
@@ -32,13 +32,13 @@ jobs:
       PYTHONUNBUFFERED: 1
       TEST_CONTAINER: weblate/weblate:test
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         submodules: recursive
     - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v3
+      uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3.9.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
       with:
         # renovate: datasource=github-releases depName=docker/buildx
         version: v0.20.1
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index 47d92dc4f..78772c27a 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -35,6 +35,6 @@ jobs:
     - ci
     if: ${{ startsWith(github.ref, 'refs/tags/')  && github.repository == 'WeblateOrg/docker' }}
     steps:
-    - uses: ncipollo/release-action@v1
+    - uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1
       with:
         generateReleaseNotes: true
diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
index acd7062a8..f468189ce 100644
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -22,5 +22,5 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-    - uses: actions/checkout@v4
-    - uses: hadolint/hadolint-action@v3.1.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
diff --git a/.github/workflows/label-sync.yml b/.github/workflows/label-sync.yml
index d6bd296d3..08c51f4c6 100644
--- a/.github/workflows/label-sync.yml
+++ b/.github/workflows/label-sync.yml
@@ -21,7 +21,7 @@ jobs:
     name: Sync labels
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v4                                       # v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683                                       # v4
     - uses: srealmoreno/label-sync-action@850ba5cef2b25e56c6c420c4feed0319294682fd # v2
       with:
         clean-labels: true
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index c7064a1fb..ca067b55a 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-    - uses: actions/checkout@v4                                       # v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683                                       # v4
     - uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
       with:
         path: ~/.cache/pre-commit
diff --git a/.github/workflows/readme-sync.yml b/.github/workflows/readme-sync.yml
index e091e35f2..8c88b54c3 100644
--- a/.github/workflows/readme-sync.yml
+++ b/.github/workflows/readme-sync.yml
@@ -16,9 +16,9 @@ jobs:
     if: ${{ github.repository == 'WeblateOrg/docker'}}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Docker Hub Description
-      uses: peter-evans/dockerhub-description@v4
+      uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 22b950907..75aeb531b 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -20,7 +20,7 @@ jobs:
     container:
       image: returntocorp/semgrep
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - run: semgrep ci
 permissions:
   contents: read