diff --git a/.github/workflows/ceph.yml b/.github/workflows/ceph.yml
index 48210dd..57da248 100644
--- a/.github/workflows/ceph.yml
+++ b/.github/workflows/ceph.yml
@@ -47,7 +47,7 @@
       cancel-in-progress: true
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Poetry
         run: pipx install poetry
@@ -76,7 +76,7 @@
       # Enable tmate debugging of manually-triggered workflows if the input option was provided
       - name: Setup tmate session
         if: ${{ failure() }}
-        uses: mxschmitt/action-tmate@v3
+        uses: mxschmitt/action-tmate@a283f9441d2d96eb62436dc46d7014f5d357ac22 # v3
         timeout-minutes: 60
 
       - name: Run Molecule Destroy
@@ -96,7 +96,7 @@
       cancel-in-progress: true
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Poetry
         run: pipx install poetry
diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml
index fdd9dfd..ffa7fdd 100644
--- a/.github/workflows/check-pr-title.yml
+++ b/.github/workflows/check-pr-title.yml
@@ -19,14 +19,14 @@
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: marocchino/sticky-pull-request-comment@v2.8.0
+      - uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
         if: failure()
         with:
           header: commitlint-pr-title
           message: ${{ steps.pr-title-lint.outputs.error }}
           recreate: true
 
-      - uses: marocchino/sticky-pull-request-comment@v2.8.0
+      - uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
         if: success()
         with:
           header: commitlint-pr-title
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 145719a..7a7f3a6 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -7,7 +7,7 @@
   unit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
           go-version-file: go.mod
diff --git a/.github/workflows/csi.yml b/.github/workflows/csi.yml
index 7683fd5..736763d 100644
--- a/.github/workflows/csi.yml
+++ b/.github/workflows/csi.yml
@@ -47,7 +47,7 @@
           - rbd
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Poetry
         run: pipx install poetry
diff --git a/.github/workflows/image-manifest.yml b/.github/workflows/image-manifest.yml
index e9d0ca6..7ef696f 100644
--- a/.github/workflows/image-manifest.yml
+++ b/.github/workflows/image-manifest.yml
@@ -26,7 +26,7 @@
     runs-on: v3-standard-8
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Poetry
         run: pipx install poetry
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
index 73fe52c..6b0e2ed 100644
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@@ -22,7 +22,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Earthly
         uses: earthly/actions-setup@v1
@@ -30,7 +30,7 @@
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -50,14 +50,14 @@
       - build
     steps:
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Promote image
-        uses: akhilerm/tag-push-action@v2.1.0
+        uses: akhilerm/tag-push-action@85bf542f43f5f2060ef76262a67ee3607cb6db37 # v2.1.0
         with:
           src: ghcr.io/vexxhost/atmosphere:${{ github.sha }}
           dst: ghcr.io/vexxhost/atmosphere:${{ github.event.release.tag_name }}
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
index 65f1461..1119e64 100644
--- a/.github/workflows/images.yml
+++ b/.github/workflows/images.yml
@@ -15,7 +15,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Earthly
         uses: earthly/actions-setup@v1
@@ -40,7 +40,7 @@
           EOF
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/keycloak.yml b/.github/workflows/keycloak.yml
index ea8c6c2..24d17c0 100644
--- a/.github/workflows/keycloak.yml
+++ b/.github/workflows/keycloak.yml
@@ -26,7 +26,7 @@
     runs-on: v3-standard-8
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Poetry
         run: pipx install poetry
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0414a29..135a3b4 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,7 +7,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Setup Python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5
@@ -17,10 +17,10 @@
         run: echo info=$(python -VV | sha256sum | cut -d' ' -f1) >> $GITHUB_OUTPUT
 
       - name: Create pre-commit cache
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
         with:
           path: ~/.cache/pre-commit
           key: pre-commit|${{ steps.python_info.outputs.info }}|${{ hashFiles('.pre-commit-config.yaml') }}
 
       - name: Setup pre-commit
-        uses: pre-commit/action@v3.0.0
+        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0
diff --git a/.github/workflows/manila.yml b/.github/workflows/manila.yml
index f5fbc45..2e3bcfa 100644
--- a/.github/workflows/manila.yml
+++ b/.github/workflows/manila.yml
@@ -33,7 +33,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
@@ -48,13 +48,13 @@
           poetry self add "poetry-dynamic-versioning[plugin]"
 
       - name: Clone openstack/manila-image-elements
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           repository: openstack/manila-image-elements
           path: manila-image-elements
 
       - name: Cache DIB_IMAGE_CACHE
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
         with:
           path: ~/.cache/image-create
           key: dib-image-cache
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index cd8c430..9f2c9ba 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,15 +11,15 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Build and publish collection
-        uses: artis3n/ansible_galaxy_collection@v2
+        uses: artis3n/ansible_galaxy_collection@3368f56529a2ef47ef0ac1ecfcda039f90d0174a # v2
         with:
           api_key: "${{ secrets.GALAXY_API_KEY }}"
 
       - name: Get release
-        uses: bruceadams/get-release@v1.3.2
+        uses: bruceadams/get-release@74c3d60f5a28f358ccf241a00c9021ea16f0569f # v1.3.2
         id: get_release
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -29,7 +29,7 @@
         run: echo ::set-output name=filename::$(ls *.tar.gz)
 
       - name: Upload release asset
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/pxc.yml b/.github/workflows/pxc.yml
index 305139e..964b993 100644
--- a/.github/workflows/pxc.yml
+++ b/.github/workflows/pxc.yml
@@ -26,7 +26,7 @@
     runs-on: v3-standard-8
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Install Poetry
         run: pipx install poetry
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63966ee..055ff80 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Run "release-please"
         uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4