diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5ace460
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/build_artifact.yml b/.github/workflows/build_artifact.yml
index 9f2f895..c34ab56 100644
--- a/.github/workflows/build_artifact.yml
+++ b/.github/workflows/build_artifact.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: [ ubuntu-latest ]
+    runs-on: [ubuntu-latest]
 
     concurrency:
       # Cancel intermediate builds
@@ -22,14 +22,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
 
       - name: Go
         uses: ./.github/workflows/composite/go
 
       - name: Build
         run: make clean lint prepare build pack
-      
+
       - name: Environment
         run: |
           echo "GOARCH=$(go env GOARCH)" >> $GITHUB_ENV
@@ -37,11 +37,11 @@ jobs:
           echo "BRANCH=$(echo ${{ github.ref_name }} | tr -C '[a-z0-9-\n]' '_')" >> $GITHUB_ENV
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
         with:
           name: k6-${{env.GOARCH}}-${{env.GOOS}}-${{ env.BRANCH }}.tar.gz
           path: ./bin/*.tar.gz
           if-no-files-found: warn
           overwrite: true
-          retention-days: 3    # we need it just for releases
+          retention-days: 3 # we need it just for releases
           compression-level: 0 # this is already a gzipped archive
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7cd9f4a..6856c75 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   verify:
-    runs-on: [ ubuntu-latest ]
+    runs-on: [ubuntu-latest]
 
     concurrency:
       # Cancel intermediate builds
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
 
       - name: Go
         uses: ./.github/workflows/composite/go
diff --git a/.github/workflows/composite/go/action.yml b/.github/workflows/composite/go/action.yml
index 4d1ddbf..1daa527 100644
--- a/.github/workflows/composite/go/action.yml
+++ b/.github/workflows/composite/go/action.yml
@@ -4,12 +4,12 @@ runs:
   using: composite
   steps:
     - name: Setup Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # ratchet:actions/setup-go@v5
       with:
         go-version: '1.22'
 
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # ratchet:golangci/golangci-lint-action@v6
       with:
         version: v1.58.2
         args: --verbose --concurrency=2 --timeout=600s