diff --git a/.github/workflows/publish-release-npm-package.yml b/.github/workflows/publish-release-npm-package.yml
index 9ebe4d5..7110ad5 100644
--- a/.github/workflows/publish-release-npm-package.yml
+++ b/.github/workflows/publish-release-npm-package.yml
@@ -17,10 +17,10 @@ jobs:
             id-token: write
         steps:
             - name: 🧮 Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
             - name: 🔧 Yarn cache
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   cache: "yarn"
                   registry-url: "https://registry.npmjs.org"
diff --git a/.github/workflows/reusable-playwright-tests.yml b/.github/workflows/reusable-playwright-tests.yml
index f10d7d5..46e7bee 100644
--- a/.github/workflows/reusable-playwright-tests.yml
+++ b/.github/workflows/reusable-playwright-tests.yml
@@ -14,11 +14,11 @@ jobs:
         name: Run Playwright end-to-end tests & upload html report
         runs-on: ubuntu-24.04-arm
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
               with:
                   repository: ${{ inputs.webapp-artifact && 'element-hq/element-modules' || github.repository }}
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   cache: "yarn"
                   node-version: "lts/*"
@@ -31,7 +31,7 @@ jobs:
               run: echo "version=$(yarn list --pattern @playwright/test --depth=0 --json --non-interactive --no-progress | jq -r '.data.trees[].name')" >> "$GITHUB_OUTPUT"
 
             - name: Cache playwright binaries
-              uses: actions/cache@v4
+              uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
               id: playwright-cache
               with:
                   path: ~/.cache/ms-playwright
@@ -43,7 +43,7 @@ jobs:
 
             - name: Fetch webapp
               if: inputs.webapp-artifact
-              uses: actions/download-artifact@v4
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   name: ${{ inputs.webapp-artifact }}
                   path: webapp
@@ -60,7 +60,7 @@ jobs:
 
             - name: Upload blob report to GitHub Actions Artifacts
               if: always()
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: playwright-html-report
                   path: playwright-report
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 9078d3f..e660b7f 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -38,7 +38,7 @@ jobs:
                   fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
             - name: 📥 Download artifact
-              uses: actions/download-artifact@v4
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
@@ -56,7 +56,7 @@ jobs:
 
             - name: "🩻 SonarCloud Scan"
               id: sonarcloud
-              uses: matrix-org/sonarcloud-workflow-action@v3.3
+              uses: matrix-org/sonarcloud-workflow-action@6fa326fe328568a4800c431fe864826caff79b41 # v3.3
               # workflow_run fails report against the develop commit always, we don't want that for PRs
               continue-on-error: ${{ github.event.workflow_run.head_branch != 'develop' }}
               with:
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
index 1c87aef..693245c 100644
--- a/.github/workflows/static-analysis.yaml
+++ b/.github/workflows/static-analysis.yaml
@@ -24,14 +24,14 @@ jobs:
                     - lint:prettier
                     - lint:knip
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   cache: "yarn"
                   node-version: "lts/*"
 
-            - uses: actions/setup-python@v5
+            - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
               with:
                   python-version: "3.11"
 
diff --git a/.github/workflows/synapse-module.yml b/.github/workflows/synapse-module.yml
index b3f9891..6214f20 100644
--- a/.github/workflows/synapse-module.yml
+++ b/.github/workflows/synapse-module.yml
@@ -17,7 +17,7 @@ jobs:
         env:
             DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
             - name: Login to ghcr.io
               uses: docker/login-action@v3
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a8d8d22..3426e69 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -14,14 +14,14 @@ jobs:
         name: Run tests & upload coverage reports
         runs-on: ubuntu-24.04-arm
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   cache: "yarn"
                   node-version: "lts/*"
 
-            - uses: actions/setup-python@v5
+            - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
               with:
                   python-version: "3.11"
 
@@ -35,7 +35,7 @@ jobs:
               run: sed -ie 's/filename="/filename="modules\/restricted-guests\/synapse\//' modules/restricted-guests/synapse/coverage.xml
 
             - name: Upload Artifact
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: coverage
                   path: |
diff --git a/modules/restricted-guests/synapse/Dockerfile b/modules/restricted-guests/synapse/Dockerfile
index dc39a08..ccd3a05 100644
--- a/modules/restricted-guests/synapse/Dockerfile
+++ b/modules/restricted-guests/synapse/Dockerfile
@@ -1,7 +1,7 @@
 ARG DEBIAN_VERSION_NUMERIC=12
 
 # Now copy it into our base image.
-FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug AS build
+FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug@sha256:fb8a6977b18fe8fa8056c02c3e47bb4d71472ae4765b809ac32c05589b77177e AS build
 
 FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}
 
diff --git a/packages/element-web-module-api/Dockerfile b/packages/element-web-module-api/Dockerfile
index 00d0e42..1c4b155 100644
--- a/packages/element-web-module-api/Dockerfile
+++ b/packages/element-web-module-api/Dockerfile
@@ -1,6 +1,6 @@
-ARG ELEMENT_VERSION=latest
+ARG ELEMENT_VERSION=latest@sha256:6e91e641abe70dd02f1461b4f1ebf8f6807bfa381ec7f2c13e9e286c4e2b2918
 
-FROM --platform=$BUILDPLATFORM node:lts-alpine AS builder
+FROM --platform=$BUILDPLATFORM node:lts-alpine@sha256:bd26af08779f746650d95a2e4d653b0fd3c8030c44284b6b98d701c9b5eb66b9 AS builder
 
 ARG BUILD_CONTEXT