diff --git a/.github/workflows/create-dep-versions-update-pr-in-longhorn-repo.yml b/.github/workflows/create-dep-versions-update-pr-in-longhorn-repo.yml
index a89bdc3..2f8fca7 100644
--- a/.github/workflows/create-dep-versions-update-pr-in-longhorn-repo.yml
+++ b/.github/workflows/create-dep-versions-update-pr-in-longhorn-repo.yml
@@ -35,7 +35,7 @@ jobs:
         echo "PR was merged into branch: ${{ github.event.pull_request.base.ref }}"
 
     - id: app-token
-      uses: actions/create-github-app-token@v2
+      uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
       with:
         app-id: ${{ secrets.LONGHORN_GITHUB_BOT_APP_ID }}
         private-key: ${{ secrets.LONGHORN_GITHUB_BOT_PRIVATE_KEY }}
@@ -51,7 +51,7 @@ jobs:
           echo "LONGHORN_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
         fi
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         repository: longhorn/longhorn
         token: ${{ steps.app-token.outputs.token }}
@@ -115,7 +115,7 @@ jobs:
 
     - name: Create Pull Request
       id: cpr
-      uses: peter-evans/create-pull-request@v7
+      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
       with:
         token: ${{ steps.app-token.outputs.token }}
         branch: "update-deps-version-${{ github.event.pull_request.number }}"
@@ -128,4 +128,4 @@ jobs:
         title: "chore(chart): update dependency versions (PR longhorn/dep-versions#${{ github.event.pull_request.number}})"
         body: |
           This PR updates dependency versions.
-          It was triggered by longhorn/dep-versions#${{ github.event.pull_request.number}}.
\ No newline at end of file
+          It was triggered by longhorn/dep-versions#${{ github.event.pull_request.number}}.
diff --git a/.github/workflows/trigger-builds.yaml b/.github/workflows/trigger-builds.yaml
index 966a6d4..1a2cc39 100644
--- a/.github/workflows/trigger-builds.yaml
+++ b/.github/workflows/trigger-builds.yaml
@@ -37,7 +37,7 @@ jobs:
           fi
 
       - id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
         with:
           app-id: ${{ secrets.LONGHORN_GITHUB_BOT_APP_ID }}
           private-key: ${{ secrets.LONGHORN_GITHUB_BOT_PRIVATE_KEY }}
@@ -47,7 +47,7 @@ jobs:
           permission-pull-requests: write
 
       - name: Trigger build in longhorn-manager
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           token: ${{ steps.app-token.outputs.token }}
           workflow: build.yml
@@ -55,7 +55,7 @@ jobs:
           ref: ${{ steps.set-ref.outputs.ref }}
 
       - name: Trigger build in longhorn-engine
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           token: ${{ steps.app-token.outputs.token }}
           workflow: build.yml
@@ -63,7 +63,7 @@ jobs:
           ref: ${{ steps.set-ref.outputs.ref }}
 
       - name: Trigger build in longhorn-share-manager
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           token: ${{ steps.app-token.outputs.token }}
           workflow: build.yml
@@ -71,7 +71,7 @@ jobs:
           ref: ${{ steps.set-ref.outputs.ref }}
 
       - name: Trigger build in longhorn-instance-manager
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           token: ${{ steps.app-token.outputs.token }}
           workflow: build.yml
@@ -79,7 +79,7 @@ jobs:
           ref: ${{ steps.set-ref.outputs.ref }}
 
       - name: Trigger build in longhorn-spdk-engine
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           token: ${{ steps.app-token.outputs.token }}
           workflow: build.yml
@@ -87,7 +87,7 @@ jobs:
           ref: main
 
       - name: Trigger build in go-spdk-helper
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           token: ${{ steps.app-token.outputs.token }}
           workflow: build.yml
diff --git a/.github/workflows/update-dep-version.yml b/.github/workflows/update-dep-version.yml
index b7a9f15..1b56920 100644
--- a/.github/workflows/update-dep-version.yml
+++ b/.github/workflows/update-dep-version.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
         with:
           app-id: ${{ secrets.LONGHORN_GITHUB_BOT_APP_ID }}
           private-key: ${{ secrets.LONGHORN_GITHUB_BOT_PRIVATE_KEY }}
@@ -88,7 +88,7 @@ jobs:
           echo "Successfully created and pushed tag $TAG at commit $COMMIT"
 
       - name: Checkout dep-versions repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           repository: longhorn/dep-versions
           ref: ${{ github.event.inputs.branch }}
@@ -114,7 +114,7 @@ jobs:
 
       - name: Create Pull Request
         id: create-pull-request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
         with:
           token: ${{ steps.app-token.outputs.token }}
           path: dep-versions