diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index be7cfb3..1ae02c7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: ci
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
@@ -9,24 +12,25 @@ jobs:
 
     strategy:
       matrix:
-        python-version: [ '3.6', '3.7', '3.8', '3.9', '3.10' ]
+        python-version: [ '3.10', '3.11' ]
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@28f2168f4d98ee0445e3c6321f6e6616c83dd5ec
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'pip'
       - name: Install requirements
         run: |
-          python -m pip install -r requirements.txt
-          python setup.py install
+          python -m pip install --require-hashes -r requirements.txt
+          pip install . --no-deps
       - name: Check source files
         if: matrix.python-version == '3.10'
         run: |
-          python -m pip install pytest-pycodestyle
-          python -m pip install pytest-flakes
+          python -m pip install pytest-pycodestyle==2.3.1 --require-hashes --hash=sha256:dd0060039e12a59b521da8e57e17133c965566dd8d17631e589e7545238829ac
+          python -m pip install pytest-flakes==4.0.5 --require-hashes --hash=sha256:953134e97215ae31f6879fbd7368c18d43f709dc2fab5b7777db2bb2bac3a924
           py.test --pycodestyle ftw
           py.test --flakes ftw
       - name: Run tests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 87ce4bb..8ea8572 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,25 +4,28 @@ on:
   release:
     types: [created]
 
+permissions: 
+  contents: read
+
 jobs:
   deploy:
 
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@28f2168f4d98ee0445e3c6321f6e6616c83dd5ec
       with:
-        python-version: '3.x'
+          python-version: '3.11'
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install setuptools wheel twine
+        python -m pip install --require-hashes -r requirements-build.txt
     - name: Build and publish
       env:
         TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
         TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
       run: |
-        python setup.py sdist bdist_wheel
+        python -m build
         twine upload dist/*
diff --git a/requirements-build.txt b/requirements-build.txt
new file mode 100644
index 0000000..a643f96
--- /dev/null
+++ b/requirements-build.txt
@@ -0,0 +1,4 @@
+twine==6.2.0 --hash=sha512:e0b7826a32625654ffe1f262c5b022c8026aea3f642a2a0d58bad5e0215c115e085ee7345d1953ca50fcc661f95f3943d036ef7974a0401f803a2b5a2951a796
+wheel==0.46.3 --hash=sha512:2ca4b84603344b8a29a2bd2850188751666a9f840c49869da644bd63eebfab097df32dd7086b85e6e93a7a9e161f6df3ece9fe1a42e622b6a8834ef444fd378b
+setuptools==82.0.1 --hash=sha512:24132d3af7054ea6e75e3bc4fd90bbb845dd146a0f38d7411c3e7c183fe1c08e210c06c3f1302a41d639eb15467dc6312d1f22ba49c438296058e2dfd2ca9d8f
+build==1.4.0 --hash=sha512:4c24accb4c1ad3352c5a528841b9950869ddfae88ec83dbc05bc06a28035751c9d54e209eabecc171f72905f84f38e505af9d866d9a0083a57a800ed4d85a878
diff --git a/requirements.txt b/requirements.txt
index b46f7dc..be31dc0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
-Brotli==1.0.9
-IPy==1.01
-PyYAML==6.0
-pytest==6.2.5
-python-dateutil==2.8.2
+Brotli==1.2.0 --hash=sha512:e197edc1fc9097a77d6ba0fa48cf8b0f23fe7ce0b89d941bddc71c4bb35184823fdbb12d73e086a4c1b29913052db774a1a6bc8da9697bd9c4bbf8fdf2b4a322
+IPy==1.01 --hash=sha512:f0983254523025a1819d543877d9651fb6a9e39dabd3b043488495f681b02e43b544a0121658a0430a418a1c39b360a59db1699af87a75a16a2bdc29fcb2b74c
+PyYAML==6.0.3 --hash=sha512:ffcb8aa66e6a09a70c08025006744d7a0948cdbfd5cd3b78bc50deb6416afca7d1dbcccef58804d2328d39a264b74cc15e9a08dd8f7305725b0a48a3585e6db4
+pytest==9.0.2 --hash=sha512:fabfaf0ed5c328b9f596a90f4b11f673b8bd25f0cdd80c1d3a4858ac699c2c2059a57d9eefd0cb10d3195bca341bb081c03045e1b30fcc799c302d069ec2b030
+python-dateutil==2.9.0 --hash=sha512:68c13dcfeef8f2b9e06fe6bbbd5f59367069f76718e9ffedfcfcf632c5ddb6bbd85bb94bddb1439f9793dc56066aa05b7ff4cc29e41dec6a6b0a5014c8f71334
diff --git a/setup.py b/setup.py
index 59309d0..eab61f3 100644
--- a/setup.py
+++ b/setup.py
@@ -31,7 +31,7 @@
         "Framework :: Pytest",
     ],
     packages=["ftw"],
-    python_requires=">=3.6",
+    python_requires=">=3.10",
     use_scm_version=True,
     setup_requires=['setuptools_scm'],
     install_requires=[