diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml
index 6721bd8c46..c30c7105fa 100644
--- a/.github/workflows/publish-application-packages.yml
+++ b/.github/workflows/publish-application-packages.yml
@@ -23,7 +23,7 @@ jobs:
           ref: ${{ github.event.inputs.branchName }}
 
       - name: Install The Latest Release Version of Zarf
-        uses: defenseunicorns/setup-zarf@main
+        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
 
       - name: "Login to GHCR"
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
diff --git a/.github/workflows/scan-lint.yml b/.github/workflows/scan-lint.yml
index 5bda787160..b27ad00d77 100644
--- a/.github/workflows/scan-lint.yml
+++ b/.github/workflows/scan-lint.yml
@@ -12,7 +12,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Run Revive Action by pulling pre-built image
-        uses: docker://morphy/revive-action:v2
+        uses: docker://morphy/revive-action@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8 # v2.5.7
         with:
           config: revive.toml
           # Exclude patterns, separated by semicolons (optional)
diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml
index 38dd0ca4a1..bafbcf3760 100644
--- a/.github/workflows/test-upgrade.yml
+++ b/.github/workflows/test-upgrade.yml
@@ -63,7 +63,7 @@ jobs:
           chmod +x build/zarf
 
       - name: Install release version of Zarf
-        uses: defenseunicorns/setup-zarf@main
+        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
         with:
           download-init-package: true