diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d4cdac9..40f4d50 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,4 +44,4 @@ jobs:
           name: artifact
           path: dist
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # 1.12.4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 12d91bf..2d83787 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
           submodules: true
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # 6.0.1
       - name: Install tox
         run: uv tool install --python-preference only-managed --python 3.13 tox --with tox-uv --with tox-gh
       - name: Install Python
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 3d15ced..d76c6ee 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -22,11 +22,11 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # 6.0.1
         with:
           enable-cache: false
 
       - name: Run zizmor
-        run: uvx zizmor@1.5.2 --format plain .
+        run: uvx zizmor@1.7.0 --format plain .
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}