diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 447cd8f..e9214e8 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -6,9 +6,9 @@ jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
         with:
           configFile: "./.github/commitlint.config.mjs"
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
index 2587f76..984d4e7 100644
--- a/.github/workflows/terraform.yaml
+++ b/.github/workflows/terraform.yaml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
 
       - name: Terraform Format
         id: fmt
@@ -38,7 +38,7 @@ jobs:
         run: terraform plan -no-color -input=false
         continue-on-error: true
 
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         if: github.event_name == 'pull_request'
         env:
           PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
diff --git a/.github/workflows/terrascan.yaml b/.github/workflows/terrascan.yaml
index 7e06695..eca6eb0 100644
--- a/.github/workflows/terrascan.yaml
+++ b/.github/workflows/terrascan.yaml
@@ -7,7 +7,7 @@ jobs:
     name: terrascan
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Run Terrascan
         id: terrascan
         uses: tenable/terrascan-action@main
@@ -25,6 +25,6 @@ jobs:
           #webhook_url:
           #webhook_token:
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
         with:
           sarif_file: terrascan.sarif
diff --git a/template-repo/template/.github/workflows/build.yml b/template-repo/template/.github/workflows/build.yml
index 1beeffc..d47c8f9 100644
--- a/template-repo/template/.github/workflows/build.yml
+++ b/template-repo/template/.github/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
           sudo mv terraform /usr/local/bin
           rm *
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Validate examples terraform v${{ matrix.tf-version }}
         run: make examples
   build:
diff --git a/template-repo/template/.github/workflows/conventional-labels.yaml b/template-repo/template/.github/workflows/conventional-labels.yaml
index a8cd9ae..c7232fa 100644
--- a/template-repo/template/.github/workflows/conventional-labels.yaml
+++ b/template-repo/template/.github/workflows/conventional-labels.yaml
@@ -6,7 +6,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: bcoe/conventional-release-labels@v1
+      - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1
         with:
           type_labels: '{"feat": "feature", "fix": "bug", "breaking": "breaking"}'
           ignored_types: '[]'