diff --git a/.github/scripts/install_test_binaries.sh b/.github/scripts/install_test_binaries.sh
deleted file mode 100755
index 7806d0c55..000000000
--- a/.github/scripts/install_test_binaries.sh
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/env bash
-# Installs Solc and Geth binaries
-# Note: intended for use only with CI (x86_64 Ubuntu, MacOS or Windows)
-set -e
-
-GETH_BUILD=${GETH_BUILD:-"1.11.2-73b01f40"}
-
-BIN_DIR=${BIN_DIR:-"$HOME/bin"}
-
-PLATFORM="$(uname -s | awk '{print tolower($0)}')"
-if [ "$PLATFORM" != "linux" ] && [ "$PLATFORM" != "darwin" ]; then
-    EXT=".exe"
-fi
-
-main() {
-    mkdir -p "$BIN_DIR"
-    cd "$BIN_DIR"
-    export PATH="$BIN_DIR:$PATH"
-    if [ "$GITHUB_PATH" ]; then
-        echo "$BIN_DIR" >> "$GITHUB_PATH"
-    fi
-
-    install_geth &
-    g=$!
-    install_solc &
-    wait $g $!
-
-    echo ""
-    echo "Installed Geth:"
-    geth version
-    echo ""
-    echo "Installed Solc:"
-    solc --version
-}
-
-# Installs geth from https://geth.ethereum.org/downloads
-install_geth() {
-    case "$PLATFORM" in
-        linux|darwin)
-            name="geth-$PLATFORM-amd64-$GETH_BUILD"
-            curl -s "https://gethstore.blob.core.windows.net/builds/$name.tar.gz" | tar -xzf -
-            mv -f "$name/geth" ./
-            rm -rf "$name"
-            chmod +x geth
-            ;;
-        *)
-            name="geth-windows-amd64-$GETH_BUILD"
-            zip="$name.zip"
-            curl -so "$zip" "https://gethstore.blob.core.windows.net/builds/$zip"
-            unzip "$zip"
-            mv -f "$name/geth.exe" ./
-            rm -rf "$name" "$zip"
-            ;;
-    esac
-}
-
-# Installs solc from https://binaries.soliditylang.org (https://github.com/ethereum/solc-bin)
-install_solc() {
-    bins_url="https://binaries.soliditylang.org"
-    case "$PLATFORM" in
-        linux)  bins_url+="/linux-amd64";;
-        darwin) bins_url+="/macosx-amd64";;
-        *)      bins_url+="/windows-amd64";;
-    esac
-
-    list=$(curl -s "$bins_url/list.json")
-    # use latest version
-    if [ -z "$SOLC_VERSION" ]; then
-        SOLC_VERSION="$(echo "$list" | jq -r ".latestRelease")"
-    fi
-    bin=$(echo "$list" | jq -r ".releases[\"$SOLC_VERSION\"]")
-
-    if [ "$bin" = "null" ]; then
-        echo "Invalid Solc version: $SOLC_VERSION" 1>&2
-        exit 1
-    fi
-
-    # windows versions <= 0.7.1 use .zip
-    if [[ "$bin" = *.zip ]]; then
-        echo "Cannot install solc <= 0.7.1" 1>&2
-        exit 1
-    fi
-
-    curl -so "$bin" "$bins_url/$bin"
-    mv -f "$bin" "solc$EXT"
-    chmod +x "solc$EXT"
-}
-
-main
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 397a2ffe4..7656fbbab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,15 +35,14 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
         with:
           toolchain: ${{ matrix.rust }}
-      - name: Install test binaries
-        shell: bash
-        run: ./.github/scripts/install_test_binaries.sh
       - name: Install nextest
-        uses: taiki-e/install-action@nextest
-      - uses: Swatinem/rust-cache@v2
+        uses: taiki-e/install-action@e5f8d33e7166e0491b2ab4ff0567cc6cd6772737 # v2
+        with:
+          tool: nextest
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
         with:
           cache-on-failure: true
       - name: test
@@ -57,8 +56,10 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        with:
+          toolchain: stable
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
         with:
           cache-on-failure: true
       - run: cargo test --workspace --doc --all-features
@@ -70,9 +71,13 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: taiki-e/install-action@cargo-hack
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        with:
+          toolchain: stable
+      - uses: taiki-e/install-action@e5f8d33e7166e0491b2ab4ff0567cc6cd6772737 # master
+        with:
+          tool: cargo-hack
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
         with:
           cache-on-failure: true
       - name: cargo hack
@@ -85,8 +90,11 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        with:
+          toolchain: nightly
+          components: clippy
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
         with:
           cache-on-failure: true
       - run: cargo clippy --workspace --all-targets --all-features
@@ -100,8 +108,10 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@nightly
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        with:
+          toolchain: nightly
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
         with:
           cache-on-failure: true
       - run: cargo doc --workspace --all-features --no-deps --document-private-items
@@ -115,13 +125,14 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@nightly
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
         with:
+          toolchain: nightly
           components: rustfmt
       - run: cargo fmt --all --check
 
   deny:
-    uses: ithacaxyz/ci/.github/workflows/deny.yml@main
+    uses: ithacaxyz/ci/.github/workflows/deny.yml@9c8d0dc20e7ad02455d3fdab2378a05f29907630 # main
 
   ci-success:
     runs-on: ubuntu-latest
@@ -138,6 +149,6 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index dd672fa3a..d2566ffd1 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,5 +1,8 @@
 name: CodeQL
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["main"]
@@ -19,9 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      packages: read
       actions: read
-      contents: read
 
     strategy:
       fail-fast: false