diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index b75a4d6d..c44144f7 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -286,7 +286,7 @@ jobs:
     needs: [ release-provenance, image-provenance ]
     permissions:
       contents: write
-    uses: openfga/.github/.github/workflows/undraft-release.yml@main
+    uses: openfga/.github/.github/workflows/undraft-release.yml@835baf31562809ad9eb884c73efc5b79318f700f # pin@main
 
   verification-with-slsa-verifier:
     needs: [ undraft-release, binary-provenance ]
diff --git a/.github/workflows/pr-title-conventional-commit.yml b/.github/workflows/pr-title-conventional-commit.yml
index 748e0ddd..391d37f0 100644
--- a/.github/workflows/pr-title-conventional-commit.yml
+++ b/.github/workflows/pr-title-conventional-commit.yml
@@ -13,5 +13,5 @@ jobs:
   pr-title-check:
     permissions:
       pull-requests: read
-    uses: openfga/.github/.github/workflows/pr-title-check.yml@main
+    uses: openfga/.github/.github/workflows/pr-title-check.yml@835baf31562809ad9eb884c73efc5b79318f700f # pin@main
 
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 89d52f4b..4913b05e 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -36,7 +36,7 @@ jobs:
     if: |
       github.event_name == 'workflow_dispatch' ||
       startsWith(github.event.head_commit.message, 'release:')
-    uses: openfga/.github/.github/workflows/release-please.yml@main
+    uses: openfga/.github/.github/workflows/release-please.yml@835baf31562809ad9eb884c73efc5b79318f700f # pin@main
     with:
       trigger-event:   ${{ github.event_name }}
       bump-type:       ${{ inputs.bump-type || 'auto' }}