diff --git a/.github/workflows/auto_import.yaml b/.github/workflows/auto_import.yaml
index 0be48ec7..5d2ddb46 100644
--- a/.github/workflows/auto_import.yaml
+++ b/.github/workflows/auto_import.yaml
@@ -9,8 +9,8 @@ jobs:
     name: Auto import
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version: '^1.16.4'
     - run: |
@@ -21,7 +21,7 @@ jobs:
           wget https://storage.googleapis.com/cve-osv-conversion/nvd/nvdcve-2.0-$year.json;
         done
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/pypi@master
+        go install github.com/google/osv/vulnfeeds/cmd/pypi@4fcedbd3c18bbfefb5bae7c854a7af5e30cc3321 # master
         for nvdfile in nvdcve-2.0-*.json; do
           pypi -false_positives triage/false_positives.yaml \
                -nvd_json $nvdfile \
diff --git a/.github/workflows/automation.yaml b/.github/workflows/automation.yaml
index 31b3fcb0..dc2319e5 100644
--- a/.github/workflows/automation.yaml
+++ b/.github/workflows/automation.yaml
@@ -12,10 +12,10 @@ jobs:
     name: Analysis
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 64
-    - uses: google/osv/actions/analyze@master
+    - uses: google/osv/actions/analyze@4fcedbd3c18bbfefb5bae7c854a7af5e30cc3321 # master
       with:
         analyze-git: false
         pr-base: HEAD~63
@@ -32,12 +32,12 @@ jobs:
     name: Assign IDs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version: '^1.16.4'
     - run: |
-        go install github.com/google/osv/vulnfeeds/cmd/ids@latest
+        go install github.com/google/osv/vulnfeeds/cmd/ids@4fcedbd3c18bbfefb5bae7c854a7af5e30cc3321 # master
         ids -dir=./vulns -prefix PYSEC
         git config user.name github-actions
         git config user.email github-actions@github.com