diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 0a84a46b8..806e229f1 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -21,14 +21,14 @@ jobs:
       id-token: 'write'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Get Short Sha
         id: short-sha
         run: echo "sha=$(git rev-parse --short=12 HEAD)" >> $GITHUB_OUTPUT
       - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v3'
+        uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db' # v3
       - name: Construct tags
         id: construct-tags
         run: |
@@ -52,7 +52,7 @@ jobs:
           ENVIRONMENT_TAG: ${{ steps.construct-tags.outputs.environment-tag }}
       - id: 'auth'
         name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v3'
+        uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093' # v3
         with:
           # Centralized in dsp-tools-k8s; ask in #dsp-devops-champions for help troubleshooting
           token_format: 'access_token'
@@ -60,7 +60,7 @@ jobs:
           service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com'
       # authenticate to GAR docker repo
       - name: Docker Login
-        uses: 'docker/login-action@v4'
+        uses: 'docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee' # v4
         with:
           registry: 'us-central1-docker.pkg.dev'
           username: 'oauth2accesstoken'
@@ -74,7 +74,7 @@ jobs:
           SHA_TAG: ${{ steps.construct-tags.outputs.sha-tag }}
           ENVIRONMENT_TAG: ${{ steps.construct-tags.outputs.environment-tag }}
   report-to-sherlock:
-    uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
+    uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@a6dc633a77b77a038c5534ad3a038536505fea2f # main
     needs: [ tag-build-push ]
     with:
       new-version: ${{ needs.tag-build-push.outputs.sherlock-version }}
@@ -84,7 +84,7 @@ jobs:
       id-token: 'write'
   set-version-in-dev:
     if: github.event_name == 'push'
-    uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
+    uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@a6dc633a77b77a038c5534ad3a038536505fea2f # main
     needs: [ tag-build-push, report-to-sherlock ]
     with:
       new-version: ${{ needs.tag-build-push.outputs.sherlock-version }}
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index a0f111072..e789c29b7 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -13,11 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
-      - uses: actions/setup-java@v5
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'temurin'
           java-version: 25
diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml
index d298c74da..e09b2fdd3 100644
--- a/.github/workflows/maven.yaml
+++ b/.github/workflows/maven.yaml
@@ -6,10 +6,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-java@v5
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'temurin'
           java-version: 25
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index cf7bf4c77..7c6ce842a 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -7,7 +7,7 @@ jobs:
       image: returntocorp/semgrep
     name: Check
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - run: semgrep ci --config=p/findsecbugs
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index e9c8f5e2f..aa98c33d5 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -7,7 +7,7 @@ jobs:
     name: DSP AppSec Trivy check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: broadinstitute/dsp-appsec-trivy-action@v1
+      - uses: broadinstitute/dsp-appsec-trivy-action@c1b62b340a158930941f2ffde12831c1d1df586d # v1