diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 5887bdf3..4a235439 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -22,7 +22,7 @@ jobs:
         python-version: "3.13"
     
     - name: Install the latest version of uv
-      uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
     
     - name: Sync dependencies
       run: uv sync
diff --git a/.github/workflows/test-and-build.yaml b/.github/workflows/test-and-build.yaml
index e4812d0b..42d41134 100644
--- a/.github/workflows/test-and-build.yaml
+++ b/.github/workflows/test-and-build.yaml
@@ -27,7 +27,7 @@ jobs:
         python-version: "3.13"
 
     - name: Install the latest version of uv
-      uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
     
     - name: Sync dependencies
       run: uv sync
@@ -47,7 +47,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: google-github-actions/auth@v1.1.1
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           workload_identity_provider: "projects/${{ secrets.GAR_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions"
           service_account: "gh-actions-microdata@${{ secrets.GAR_PROJECT_ID }}.iam.gserviceaccount.com"
@@ -55,10 +55,10 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Login to Artifact Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ env.REGISTRY }}
           username: "oauth2accesstoken"
@@ -66,7 +66,7 @@ jobs:
 
       - name: Extract build metadata for Docker
         id: build_metadata
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE }}
           tags: |
@@ -74,7 +74,7 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push docker image to Artifact Registry
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           provenance: false
diff --git a/.github/workflows/update-tools-version.yaml b/.github/workflows/update-tools-version.yaml
index d846e3b8..6fc33277 100644
--- a/.github/workflows/update-tools-version.yaml
+++ b/.github/workflows/update-tools-version.yaml
@@ -24,7 +24,7 @@ jobs:
           python-version: "3.13"
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7
+        uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
       - name: Sync dependencies
         run: uv sync