diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 10815770b..ffebcb2b0 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -5,5 +5,18 @@
     "schedule:weekly"
   ],
   "timezone": "America/Los_Angeles",
-  "includePaths": [".github/**"]
+  "includePaths": [".github/**"],
+  "packageRules": [
+    // Pin GitHub Actions to immutable SHAs.
+    {
+      matchDepTypes: ["action"],
+      pinDigests: true,
+    },
+    // Annotate GitHub Actions SHAs with a SemVer version.
+    {
+      extends: ["helpers:pinGitHubActionDigests"],
+      extractVersion: "^(?<version>v?\\d+\\.\\d+\\.\\d+)$",
+      versioning: "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$",
+    },
+  ],
 }
diff --git a/.github/workflows/build_wheel.yml b/.github/workflows/build_wheel.yml
index 53da9aa13..9b5c47c18 100644
--- a/.github/workflows/build_wheel.yml
+++ b/.github/workflows/build_wheel.yml
@@ -9,7 +9,7 @@ jobs:
           - 3.12.6
     runs-on: [self-hosted, fasttext]
     steps:
-    - uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Install Python
       run: |
         uv python install ${{ matrix.python-version }}