diff --git a/.github/workflows/api-check.yml b/.github/workflows/api-check.yml
index 7ada689..c64c544 100644
--- a/.github/workflows/api-check.yml
+++ b/.github/workflows/api-check.yml
@@ -20,7 +20,7 @@ jobs:
       OS_DOMAIN: apps.silver.devops.gov.bc.ca
       GTW_DOMAIN: api.gov.bc.ca
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Postman Smoke Test on API Gateway
         uses: matt-ball/newman-action@master
diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
index f2926e0..62eb639 100644
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@@ -41,7 +41,7 @@ jobs:
     environment:
       name: test
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Deploys
         uses: bcgov/action-deployer-openshift@d972993c70aba88e4f2fe66a66c4b7149fa9fcad # v4.0.0
         with:
@@ -84,7 +84,7 @@ jobs:
     environment:
       name: prod
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Deploys
         uses: bcgov/action-deployer-openshift@d972993c70aba88e4f2fe66a66c4b7149fa9fcad # v4.0.0
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
index 52f535d..e0671a5 100644
--- a/.github/workflows/pr-open.yml
+++ b/.github/workflows/pr-open.yml
@@ -20,10 +20,10 @@ jobs:
     outputs:
       semver: ${{ steps.changelog.outputs.tag }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Pull request size and stability labels
-        uses: actions/labeler@v5
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         continue-on-error: true
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
@@ -38,7 +38,7 @@ jobs:
 
       - name: Conventional Changelog Update
         continue-on-error: true
-        uses: TriPSs/conventional-changelog-action@67139193614f5b9e8db87da1bd4240922b34d765 # v6
+        uses: TriPSs/conventional-changelog-action@5f00b899ccbbcbc112bd6d715d5e76e7a9e4501d # v6
         id: changelog
         with:
           github-token: ${{ github.token }}
@@ -145,7 +145,7 @@ jobs:
       checks: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: API Health check
         uses: matt-ball/newman-action@master
         with:
diff --git a/.github/workflows/reusable-tests-be.yml b/.github/workflows/reusable-tests-be.yml
index 559eebc..0c045d4 100644
--- a/.github/workflows/reusable-tests-be.yml
+++ b/.github/workflows/reusable-tests-be.yml
@@ -28,7 +28,7 @@ jobs:
 
       - name: Archive CycloneDX
         continue-on-error: true
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: cyclone-backend
           path: target/bom.json
diff --git a/.github/workflows/reusable-tests-repo.yml b/.github/workflows/reusable-tests-repo.yml
index 5391259..b3fe12e 100644
--- a/.github/workflows/reusable-tests-repo.yml
+++ b/.github/workflows/reusable-tests-repo.yml
@@ -9,7 +9,7 @@ jobs:
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808 # 0.33.0
         with:
@@ -21,7 +21,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3
         with:
           sarif_file: "trivy-results.sarif"
 
@@ -33,14 +33,14 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: github/codeql-action/init@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3
         with:
           languages: javascript,java
 
       # Autobuild failed for Java, so building manually
       - name: Set up JDK 17 and Caching maven dependencies
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5
         with:
           distribution: "temurin"
           java-version: "17"
@@ -51,4 +51,4 @@ jobs:
         run: ./mvnw clean package
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3