diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d55b0b4..851501c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -24,3 +24,14 @@ updates:
       # We don't want to stay on an LTS version and want to have more regular updates here:
       - dependency-name: "io.quarkiverse.openapi.generator:*"
         versions: ["2.6.0-lts", "2.7.0-lts", "2.8.0-lts", "2.9.0-lts"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: monthly
+    groups:
+      actions:
+        patterns:
+          - "*"
+    allow:
+      - dependency-name: "actions/*"
+      - dependency-name: "redhat-actions/*"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 34baf5e..d555962 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # 4.7.0
         with:
           distribution: temurin
           java-version: 21
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index beef1b8..c72920c 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -25,10 +25,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # 4.7.0
         with:
           distribution: temurin
           java-version: 21
@@ -37,17 +37,17 @@ jobs:
         run: ./mvnw -B clean verify
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4.0.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # 4.2.0
         with:
           version: 'v3.13.3'
 
       - name: Install CLI tools from OpenShift Mirror
-        uses: redhat-actions/openshift-tools-installer@v1
+        uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # 1.13.1
         with:
           oc: "latest"
 
       - name: Log in to OpenShift
-        uses: redhat-actions/oc-login@v1
+        uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # 1.3
         with:
           openshift_server_url: ${{ secrets.OPENSHIFT_SERVER_INFRA_PROD }}
           openshift_token: ${{ secrets.OPENSHIFT_TOKEN_INFRA_PROD }}
@@ -66,7 +66,7 @@ jobs:
           oc get imagestream -o json | jq -r '.items[0].status.publicDockerImageRepository' | awk -F"[/]" '{print $1}' >> "$GITHUB_OUTPUT"
 
       - name: Log in to OpenShift Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ steps.oc-registry.outputs.OC_REGISTRY_URL }}
           username: ignored