diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b5fd32fdbbe5..eed792261875 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -59,7 +59,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # v3.26.12
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -73,7 +73,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # v3.26.12
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -86,6 +86,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # v3.26.12
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/commits.yml b/.github/workflows/commits.yml
index 91965090decd..75c935eedd30 100644
--- a/.github/workflows/commits.yml
+++ b/.github/workflows/commits.yml
@@ -12,7 +12,7 @@ permissions:
 jobs:
   commits:
     name: Branch target and CLA
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
     - name: Check branch target
       env:
@@ -33,4 +33,4 @@ jobs:
         exit 1
 
     - name: Check if CLA signed
-      uses: canonical/has-signed-canonical-cla@main
+      uses: canonical/has-signed-canonical-cla@046337b42822b7868ad62970988929c79f9c1d40  # 1.2.3
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 30c5f50c4175..e42a7c2910dc 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -42,7 +42,7 @@ jobs:
           key: trivy-cache-${{ github.run_id }}
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # v3.26.12
         with:
           sarif_file: "trivy-lxd-repo-scan-results.sarif"
           sha: ${{ github.sha }}
@@ -96,7 +96,7 @@ jobs:
           ref: ${{ (matrix.version == 'latest' && 'main') || format('stable-{0}', matrix.version) }}
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # v3.26.12
         with:
           sarif_file: /home/runner/${{ matrix.version }}-stable.sarif
           sha: ${{ github.sha }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 14fbb26cafd6..b54ec3c7a625 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -55,7 +55,7 @@ jobs:
       #      useful feedback in the PR through github-code-scanning bot
       - id: ShellCheck
         name: Differential ShellCheck
-        uses: redhat-plumbers-in-action/differential-shellcheck@v5
+        uses: redhat-plumbers-in-action/differential-shellcheck@cc6721c45a8800cc666de45493545a07a638d121  # v5.4.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           strict-check-on-push: true
@@ -406,7 +406,7 @@ jobs:
           gocov-xml < "${GOCOVERDIR}"/coverage.json > "${GOCOVERDIR}"/coverage-go.xml
 
       - name: Run TICS
-        uses: tiobe/tics-github-action@v3
+        uses: tiobe/tics-github-action@d18bbcecfe7c96a6e3499bffc6792c4e8e9428a6  # v3.2.0
         with:
           mode: qserver
           project: LXD
@@ -549,7 +549,7 @@ jobs:
           make doc-spellcheck
 
       - name: Run inclusive naming checker
-        uses: get-woke/woke-action@v0
+        uses: get-woke/woke-action@b2ec032c4a2c912142b38a6a453ad62017813ed0  # v0
         with:
           fail-on-error: true
           woke-args: "*.md **/*.md -c https://github.com/canonical/Inclusive-naming/raw/main/config.yml"
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 2208228dfea0..f51c832e284b 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -32,7 +32,7 @@ jobs:
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       - name: Notify
-        uses: iamfj/action-label-notification@v1.0.0
+        uses: iamfj/action-label-notification@4e60f368a1f941089eeda54fdeb120f3f49ff66c  # v1.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           mapping: >