diff --git a/.github/workflows/add_new_versions.yml b/.github/workflows/add_new_versions.yml
index 728c8d61..1742b40b 100644
--- a/.github/workflows/add_new_versions.yml
+++ b/.github/workflows/add_new_versions.yml
@@ -23,18 +23,18 @@ jobs:
             secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY
 
       - name: Create App Token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1
         id: app-token
         with:
           app-id: ${{ env.APP_ID }}
           private-key: ${{ env.PRIVATE_KEY }}
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           token: ${{ steps.app-token.outputs.token }}
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: '3.10'
           cache: 'pip'
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 2ea7b857..a0d22093 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -8,10 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     container: 
-      image: rancher/dapper:v0.6.0
+      image: rancher/dapper:v0.6.0@sha256:72aac90cc3d637bd1f4a6792406c35ba01033287eba255d59e08622ad41f6a5d
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Validate
         run: dapper validate
 
@@ -24,13 +24,13 @@ jobs:
       generated-tag: ${{ steps.generate_tag.outputs.generated-tag }}
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Run tests
         id: generate_tag
         run: |
           tag=$(bash scripts/generate-release-tag)
           echo "generated-tag=$tag" >> $GITHUB_OUTPUT
-      - uses: actions/github-script@v7.0.1
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -63,7 +63,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Add tag to version file
         run: |
           echo "{\"version\": \"${{ needs.tag.outputs.generated-tag }}\"}" > dist/VERSION
@@ -73,11 +73,11 @@ jobs:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH
       - name: Authenticate with Google Cloud
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # v2
         with:
           credentials_json: '${{ env.GOOGLE_AUTH }}'
       - name: Upload to Google Cloud Storage
-        uses: google-github-actions/upload-cloud-storage@v2
+        uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2
         with:
           path: dist/
           destination: releases.rancher.com/install-docker
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
index 8f5f7860..9a25129d 100644
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     container: 
-      image: rancher/dapper:v0.6.0
+      image: rancher/dapper:v0.6.0@sha256:72aac90cc3d637bd1f4a6792406c35ba01033287eba255d59e08622ad41f6a5d
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Validate
         run: dapper validate
 
@@ -30,10 +30,10 @@ jobs:
     timeout-minutes: 90
     if: github.event_name == 'pull_request'
     container: 
-      image: rancher/dapper:v0.6.0
+      image: rancher/dapper:v0.6.0@sha256:72aac90cc3d637bd1f4a6792406c35ba01033287eba255d59e08622ad41f6a5d
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Test
         run: dapper test
 
@@ -47,7 +47,7 @@ jobs:
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Add commit to version file
         run: |
           echo "{\"version\": \"${{ github.sha }}\"}" > dist/VERSION
@@ -57,11 +57,11 @@ jobs:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH
       - name: Authenticate with Google Cloud
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # v2
         with:
           credentials_json: '${{ env.GOOGLE_AUTH }}'
       - name: Upload to Google Cloud Storage
-        uses: google-github-actions/upload-cloud-storage@v2
+        uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2
         with:
           path: dist/
           destination: releases.rancher.com/install-docker-dev