diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7f24971..75b05ca 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Validate release PR
-      uses: edgedb/action-release/validate-pr@master
+      uses: edgedb/action-release/validate-pr@bae6b9134e872166b43d218dd79397c851c41c9a
       id: checkver
       with:
         require_team: Release Managers
@@ -37,7 +37,7 @@ jobs:
         mkdir -p dist/
         echo "${VERSION}" > dist/VERSION
 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32  # v3.1.3
       with:
         name: dist
         path: dist/
@@ -47,20 +47,20 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608  # v4.1.0
       with:
         fetch-depth: 50
         submodules: true
 
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4.7.1
 
     - name: Build source distribution
       run: |
         python -m pip install -U setuptools wheel pip
         python setup.py sdist
 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32  # v3.1.3
       with:
         name: dist
         path: dist/*.tar.*
@@ -99,18 +99,18 @@ jobs:
       PIP_DISABLE_PIP_VERSION_CHECK: 1
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608  # v4.1.0
       with:
         fetch-depth: 50
         submodules: true
 
     - name: Set up QEMU
       if: matrix.os == 'ubuntu-latest' && matrix.cibw_arch == 'aarch64'
-      uses: docker/setup-qemu-action@v1
+      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3  # v3.0.0
       with:
         platforms: arm64
 
-    - uses: pypa/cibuildwheel@v2.9.0
+    - uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7  # v2.16.2
       env:
         CIBW_BUILD_VERBOSITY: 1
         CIBW_BUILD: ${{ matrix.cibw_python }}
@@ -120,7 +120,7 @@ jobs:
         CIBW_TEST_COMMAND_WINDOWS: "python {project}\\tests\\__init__.py"
         CIBW_TEST_SKIP: "*universal2:arm64"
 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32  # v3.1.3
       with:
         name: dist
         path: wheelhouse/*.whl
@@ -130,12 +130,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608  # v4.1.0
       with:
         fetch-depth: 5
         submodules: false
 
-    - uses: actions/download-artifact@v2
+    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a  # v3.0.2
       with:
         name: dist
         path: dist/
@@ -148,7 +148,7 @@ jobs:
         rm dist/VERSION
 
     - name: Merge and tag the PR
-      uses: edgedb/action-release/merge@master
+      uses: edgedb/action-release/merge@bae6b9134e872166b43d218dd79397c851c41c9a
       with:
         github_token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }}
         ssh_key: ${{ secrets.RELEASE_BOT_SSH_KEY }}
@@ -157,7 +157,7 @@ jobs:
         tag_name: v${{ steps.relver.outputs.version }}
 
     - name: Publish Github Release
-      uses: elprans/gh-action-create-release@master
+      uses: elprans/gh-action-create-release@5f9abb8f0677196a76ea77e64341fa8ca31dad4f
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -171,7 +171,7 @@ jobs:
         ls -al dist/
 
     - name: Upload to PyPI
-      uses: pypa/gh-action-pypi-publish@master
+      uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e  # v1.8.10
       with:
         user: __token__
         password: ${{ secrets.PYPI_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b1030fc..1c415c2 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -21,13 +21,13 @@ jobs:
       PIP_DISABLE_PIP_VERSION_CHECK: 1
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608  # v4.1.0
       with:
         fetch-depth: 50
         submodules: true
 
     - name: Check if release PR.
-      uses: edgedb/action-release/validate-pr@master
+      uses: edgedb/action-release/validate-pr@bae6b9134e872166b43d218dd79397c851c41c9a
       id: release
       with:
         github_token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }}
@@ -37,7 +37,7 @@ jobs:
           __version__\s*=\s*(?:['"])([[:PEP440:]])(?:['"])
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4.7.1
       if: steps.release.outputs.version == 0
       with:
         python-version: ${{ matrix.python-version }}