diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
index 4ebf9ab1..b91ffa2f 100644
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@@ -11,9 +11,15 @@ on:
 jobs:
   log-the-inputs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          persist-credentials: false
 
       - name: Bump version
         run: |
@@ -27,8 +33,9 @@ jobs:
         env:
           VERSION: ${{ inputs.version }}
 
+      # TODO: use `gh pr new` instead
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           branch: bump-version
           commit-message: "Bump version to ${{ inputs.version }}"
diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
index db1a255a..f1ca52f2 100644
--- a/.github/workflows/coding-standards.yml
+++ b/.github/workflows/coding-standards.yml
@@ -27,10 +27,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup cache
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           key: ${{ runner.os }}-${{ hashFiles('composer.json') }} # Note that lock file will change between runs.
           path: .cache
diff --git a/.github/workflows/generate-missing-i18n-files-pr.yml b/.github/workflows/generate-missing-i18n-files-pr.yml
index 3ea20138..c34ab726 100644
--- a/.github/workflows/generate-missing-i18n-files-pr.yml
+++ b/.github/workflows/generate-missing-i18n-files-pr.yml
@@ -11,7 +11,7 @@ on:
 jobs:
   generate-missing-i18n-files:
     name: Generate missing i18n files PR
-    if: github.repository == ${{ github.event.repository.full_name }}
+    if: github.repository == github.event.repository.full_name
     permissions:
       contents: write
       pull-requests: write
@@ -20,15 +20,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          persist-credentials: true # git cli needs this
 
       - name: Set up PHP environment
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: "7.4"
 
       - name: Setup WP-CLI
-        uses: godaddy-wordpress/setup-wp-cli@1
+        uses: godaddy-wordpress/setup-wp-cli@1 # using tag, sha hash will not resolve
+        # uses: godaddy-wordpress/setup-wp-cli@7dee90ee27eb3510c0997111eb5c01de856c7a98 # 1.0.0
 
       - name: Configure git user
         run: |
diff --git a/.github/workflows/generate-pot-pr.yml b/.github/workflows/generate-pot-pr.yml
index f04f3a54..86fa62de 100644
--- a/.github/workflows/generate-pot-pr.yml
+++ b/.github/workflows/generate-pot-pr.yml
@@ -9,7 +9,7 @@ on:
 jobs:
   generate-pot:
     name: Generate POT PR
-    if: github.repository == ${{ github.event.repository.full_name }}
+    if: github.repository == github.event.repository.full_name
     permissions:
       contents: write
       pull-requests: write
@@ -18,15 +18,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          persist-credentials: true # git cli needs this
 
       - name: Set up PHP environment
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: "7.4"
 
       - name: Setup WP-CLI
-        uses: godaddy-wordpress/setup-wp-cli@1
+        uses: godaddy-wordpress/setup-wp-cli@1 # using tag, sha hash will not resolve
+        # uses: godaddy-wordpress/setup-wp-cli@7dee90ee27eb3510c0997111eb5c01de856c7a98 # 1.0.0
 
       - name: Configure git user
         run: |
diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml
index 0da409c3..18b1b0a3 100644
--- a/.github/workflows/phpunit-tests.yml
+++ b/.github/workflows/phpunit-tests.yml
@@ -74,10 +74,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup MySQL with mysql_native_password
-        uses: shogo82148/actions-setup-mysql@v1
+        uses: shogo82148/actions-setup-mysql@9c42ca180d5f1dd4dceb54c23c5eda0384f4d265 # v1.50.0
         with:
           mysql-version: ${{ matrix.wp-version >= '5.0' && '8.0' || '5.6' }}
           my-cnf: |
@@ -86,7 +88,7 @@ jobs:
           root-password: root
 
       - name: Set up PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: ${{ matrix.php-version }}
           coverage: none
diff --git a/.github/workflows/playground-to-pr.yml b/.github/workflows/playground-to-pr.yml
index fb07062d..b04b530d 100644
--- a/.github/workflows/playground-to-pr.yml
+++ b/.github/workflows/playground-to-pr.yml
@@ -4,12 +4,17 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   add-comment-with-link:
     runs-on: ubuntu-latest
     steps:
       - name: add-comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@v7 # using tag, sha hash will not resolve
+        # uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0
         with:
           github-token: ${{ github.token }}
           script: |
diff --git a/.github/workflows/publish-fair.yml b/.github/workflows/publish-fair.yml
index f5dc0475..06de3a89 100644
--- a/.github/workflows/publish-fair.yml
+++ b/.github/workflows/publish-fair.yml
@@ -17,12 +17,13 @@ permissions:
 jobs:
   publish:
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get tag
         id: tag
@@ -34,7 +35,7 @@ jobs:
           fi
 
       - name: Publish to FAIR
-        uses: fairpm/fair-pulse@v1
+        uses: fairpm/fair-pulse@v1 # not using sha hash for now, it's our own action anyway
         with:
           version: ${{ steps.tag.outputs.tag }}
           artifact-name: ${{ github.event.repository.name }}-${{ steps.tag.outputs.tag }}.zip
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index ef2b9a82..4153223d 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -15,10 +15,12 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@master
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: '8.2'
           tools: composer
@@ -43,7 +45,7 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -64,6 +66,6 @@ jobs:
           AWS_REQUEST_CHECKSUM_CALCULATION: 'WHEN_REQUIRED'
 
       - name: Build provenance attestation
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: /tmp/${{ github.event.repository.name }}-${{ steps.tag.outputs.tag }}.zip
diff --git a/.github/workflows/update-browserslist.yaml b/.github/workflows/update-browserslist.yaml
index 1cae411b..4340ac44 100644
--- a/.github/workflows/update-browserslist.yaml
+++ b/.github/workflows/update-browserslist.yaml
@@ -6,20 +6,23 @@ on:
 jobs:
   update-browserslist-regex:
     name: Update browserslist regex
-    if: github.repository == ${{ github.event.repository.full_name }}
+    if: github.repository == github.event.repository.full_name
     permissions:
       contents: write
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+            persist-credentials: false
 
       - name: Update browserslist
         run: ./bin/update-browsers.sh
 
+      # TODO: use `gh pr new` instead
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           branch: update-browserslist
           commit-message: "Update browser regex from browserslist"