diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 07285d6bc8..d71eb7a805 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -250,7 +250,7 @@ jobs:
         SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
     - name: Upload packages to packagecloud.io
-      uses: TykTechnologies/packagecloud-action@main
+      uses: TykTechnologies/packagecloud-action@7add92bc6a06914be404cf7fa00a6ccb302e6ac5 # main
       if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
       env:
         PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
@@ -320,7 +320,7 @@ jobs:
         fetch-depth: 0
 
     - name: Code signing with Software Trust Manager
-      uses: digicert/ssm-code-signing@v1.1.1
+      uses: digicert/ssm-code-signing@fb61e357690ad6aaa11c372000c37fb74d35c000 # v1.1.1
       if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))
       env:
         FORCE_DOWNLOAD_TOOLS: 'true'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 6958881137..df2728b8f5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -31,7 +31,7 @@ jobs:
       env:
         DOCS_PRIVATE_KEY: ${{ secrets.DOCS_PRIVATE_KEY }}
 
-    - uses: FirebaseExtended/action-hosting-deploy@v0
+    - uses: FirebaseExtended/action-hosting-deploy@e2eda2e106cfa35cdbcf4ac9ddaf6c4756df2c8c # v0
       with:
         repoToken: '${{ secrets.GITHUB_TOKEN }}'
         firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_TABBY_DOCS }}'