diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml
index d754018..e752e51 100644
--- a/.github/workflows/build-all.yml
+++ b/.github/workflows/build-all.yml
@@ -54,7 +54,7 @@ jobs:
 
       - name: Build
         id: build_image
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
         with:
           context: '.'
           containerfiles: |
@@ -93,7 +93,7 @@ jobs:
         run: echo "current_version=${CURRENT_VERSION}"
 
       - name: Log in to ghcr.io
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ github.token }}
@@ -107,7 +107,7 @@ jobs:
 
       - name: Publish
         id: push
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.current-version.outputs.value }} ${{ steps.build_image.outputs.tags }}
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index f94cc72..d4d9ac7 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -50,7 +50,7 @@ jobs:
 
       - name: Build
         id: build_image
-        uses: redhat-actions/buildah-build@v2
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # 2.13
         with:
           context: '.'
           containerfiles: |
@@ -85,7 +85,7 @@ jobs:
           echo "Collected version: $version"
 
       - name: Log in to ghcr.io
-        uses: redhat-actions/podman-login@v1
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ github.token }}
@@ -101,7 +101,7 @@ jobs:
 
       - name: Publish
         id: push
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.current-version.outputs.value }} ${{ steps.build_image.outputs.tags }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1d6f9c4..256e775 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -99,7 +99,7 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
 
-    if: (!cancelled() && github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]')
+    if: (!cancelled() && github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && !contains(github.event.pull_request.labels.*.name, 'github_actions'))
 
     permissions:
       contents: write
diff --git a/zizmor.yml b/zizmor.yml
index efced06..28129c7 100644
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -3,4 +3,4 @@ rules:
     config:
       policies:
         actions/*: ref-pin
-        "*": ref-pin
+        bowtie-json-schema/bowtie: ref-pin