diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 61dbacc9..6e7528a1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,16 +7,16 @@ jobs:
     if: ${{ !cancelled() && ! failure() }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
-      - uses: pdm-project/setup-pdm@v4
+      - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4
         with:
           cache: true
           python-version: ${{ matrix.python-version }}
       - id: pages
         name: Setup pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4
       - run: env | sort
       - run: make dev
       - run: make lint
@@ -35,12 +35,12 @@ jobs:
     if: ${{ !cancelled() && ! failure() }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Set up Git
         run: |
           git config --global user.name github-actions
           git config --global user.email github-actions@github.com
-      - uses: pdm-project/setup-pdm@v4
+      - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4
         with:
           cache: true
           python-version: '3.12'
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index 2751ce2e..e228e683 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -6,7 +6,7 @@ jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - run: env | sort
       - name: Install commitlint with conventional config
         run: npm install --save-dev @commitlint/config-conventional @commitlint/cli
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
index 4e7ca504..ec9048d9 100644
--- a/.github/workflows/devcontainer.yml
+++ b/.github/workflows/devcontainer.yml
@@ -9,8 +9,8 @@ jobs:
       packages: write
     runs-on: ubuntu-latest
     steps:
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
+      - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
@@ -18,7 +18,7 @@ jobs:
       - name: Build and push dev container
         env:
           SOURCE_DATE_EPOCH: 0
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
         with:
           build-args: |
             PYTHON_VERSION=${{ matrix.python-version }}
diff --git a/.github/workflows/readthedocs-preview.yml b/.github/workflows/readthedocs-preview.yml
index ac5e34f7..68bfc816 100644
--- a/.github/workflows/readthedocs-preview.yml
+++ b/.github/workflows/readthedocs-preview.yml
@@ -6,7 +6,7 @@ jobs:
   documentation-links:
     runs-on: ubuntu-latest
     steps:
-      - uses: readthedocs/actions/preview@v1
+      - uses: readthedocs/actions/preview@cc0920454cf03ca8a3fbd3cbaa2ce2e509e70636 # v1
         with:
           project-slug: ss-python
 on:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 07318359..9fcd9bae 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,28 +3,28 @@ jobs:
   pages-build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
-      - uses: pdm-project/setup-pdm@v4
+      - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4
         with:
           cache: true
           python-version: '3.12'
       - id: pages
         name: Setup pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4
       - run: env | sort
       - run: make dev-doc
       - run: CI_PAGES_URL=${{ steps.pages.outputs.base_url }} make doc
       - name: Generate release notes
         run: make release-notes > release-notes.md
       - name: Upload release notes
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
         with:
           name: release-notes
           path: release-notes.md
       - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: public
   release-publish:
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download release notes
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4
         with:
           name: release-notes
       - id: prerelease
@@ -46,7 +46,7 @@ jobs:
             echo "is_prerelease=false" > $GITHUB_OUTPUT
           fi
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           body_path: release-notes.md
           prerelease: ${{ steps.prerelease.outputs.is_prerelease }}
@@ -57,8 +57,8 @@ jobs:
       packages: write
     runs-on: ubuntu-latest
     steps:
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
+      - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
@@ -66,7 +66,7 @@ jobs:
       - name: Build and push dev container
         env:
           SOURCE_DATE_EPOCH: 0
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
         with:
           build-args: |
             PYTHON_VERSION=${{ matrix.python-version }}
@@ -82,7 +82,7 @@ jobs:
       - name: Build and push prod container
         env:
           SOURCE_DATE_EPOCH: 0
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
         with:
           build-args: |
             PYTHON_VERSION=${{ matrix.python-version }}
@@ -107,8 +107,8 @@ jobs:
     needs: release-publish
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pdm-project/setup-pdm@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4
         with:
           cache: true
           python-version: '3.12'
@@ -126,7 +126,7 @@ jobs:
     steps:
       - id: deployment
         name: Deploy to GitHub Pages
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4
 on:
   push:
     tags:
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index fb211593..628b62e5 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -12,7 +12,7 @@ jobs:
         RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
         RENOVATE_REPOSITORY_CACHE: enabled
         RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
-      image: ghcr.io/renovatebot/renovate:latest
+      image: ghcr.io/renovatebot/renovate:latest@sha256:6b5508487d42dcd36f95ff1139958f3b755bc8ff77b805b86eb1c59db943ef2f
       options: '--user root'
     outputs:
       tokenExists: ${{ steps.check_token.outputs.tokenExists }}