diff --git a/.github/workflows/changeset-prod.yml b/.github/workflows/changeset-prod.yml
index 1603db1..d91f272 100644
--- a/.github/workflows/changeset-prod.yml
+++ b/.github/workflows/changeset-prod.yml
@@ -66,7 +66,7 @@ jobs:
       # open a PR to merge changes into main
       # when it's merged, trigger the release workflow for the stable channel
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6.1.0
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
         with:
           branch: changeset-release/main
           # base: origin/main
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5c351d7..711ab2b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -58,11 +58,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@9278e421667d5d90a2839487a482448c4ec7df4d # v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -90,6 +90,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@9278e421667d5d90a2839487a482448c4ec7df4d # v3
       with:
         category: "/language:${{matrix.language}}"