diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 09f03d7..7e17088 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -30,8 +30,8 @@ jobs:
         with:
           go-version: 1.24
       - name: Install helm
-        uses: azure/setup-helm@v4.3.1
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
       - name: Install Helm-unittest
         run: helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git
       - name : CI
-        run : make ci
\ No newline at end of file
+        run : make ci
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7cf3e63..1e66ac5 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -57,7 +57,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name : "Read vault secrets"
-        uses : rancher-eio/read-vault-secrets@main
+        uses : rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
         with:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
@@ -68,7 +68,7 @@ jobs:
 
         # This encapsulates: login, qemu, build/push
       - name: Build and push PushProx image (dockerhub and prime stg)
-        uses: rancher/ecm-distro-tools/actions/publish-image@master
+        uses: rancher/ecm-distro-tools/actions/publish-image@575bb831c67edd950bfedb59d41dd127bd0005d6 # v0.65.2
         with:
           image: 'pushprox'
           tag: ${{ github.ref_name }}
@@ -90,7 +90,7 @@ jobs:
 
       - name : "Read vault secrets"
         if: ${{ steps.semver_check.outputs.HAS_PRERELEASE == 'false' }}
-        uses : rancher-eio/read-vault-secrets@main
+        uses : rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3
         with:
           secrets: |
             secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
@@ -99,7 +99,7 @@ jobs:
 
       - name: Build and push PushProx image (prime prod)
         if: ${{ steps.semver_check.outputs.HAS_PRERELEASE == 'false' }}
-        uses: rancher/ecm-distro-tools/actions/publish-image@master
+        uses: rancher/ecm-distro-tools/actions/publish-image@575bb831c67edd950bfedb59d41dd127bd0005d6 # v0.65.2
         with:
           image: 'pushprox'
           tag: ${{ github.ref_name }}
diff --git a/.github/workflows/renovate-vault.yml b/.github/workflows/renovate-vault.yml
index d52deb1..557db83 100644
--- a/.github/workflows/renovate-vault.yml
+++ b/.github/workflows/renovate-vault.yml
@@ -33,7 +33,7 @@ permissions:
 
 jobs:
   call-workflow:
-    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
+    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@c88cbe41a49d02648b9bf83aa5a64902151323fa # release
     with:
       logLevel: ${{ inputs.logLevel || 'info' }}
       overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}