diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5d0b1df9..6f8bf215 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: 3.11
 
@@ -24,7 +24,7 @@ jobs:
 
       - name: Install dependencies including python-dotenv
         run: |
-          poetry install
+          poetry install --no-update
 
       - name: Run Mypy with ignore missing imports
         run: poetry run mypy --ignore-missing-imports .
@@ -33,24 +33,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: 3.11
       - name: Bootstrap poetry
         run: |
           curl -sSL https://install.python-poetry.org | python - -y --version 1.5.1
       - name: Install dependencies
-        run: poetry install
+        run: poetry install --no-update
       - name: Test
         run: poetry run pytest . -v
   run-examples:
     name: Run examples (to look for regressions)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.11'
       - name: test examples (not rate limiting)
@@ -78,16 +78,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: 3.11
       - name: Bootstrap poetry
         run: |
           curl -sSL https://install.python-poetry.org | python - -y --version 1.5.1
       - name: Install dependencies
-        run: poetry install
+        run: poetry install --no-update
       - name: Update pyproject.toml
         run: |
           sed 's/description = ""/description = "A Python SDK for Sayari"/g' pyproject.toml > tmp_pyproject
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 00000000..8c4c150c
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchManagers": [
+        "pip_requirements",
+        "poetry",
+        "pipenv",
+        "uv"
+      ],
+      "minimumReleaseAge": "7 days",
+      "description": "Supply-chain hardening: 7-day cooldown for all PyPI packages"
+    }
+  ]
+}