diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 34bc895..9d1c3f6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,7 +14,7 @@ jobs:
         with:
           python-version: "3.13"
       - name: Install and configure Poetry (this should ideally be done from pyproject.toml but..)
-        uses: snok/install-poetry@v1
+        uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
         with:
           version: 1.8.5
           virtualenvs-create: true
diff --git a/.github/workflows/publish_pypi_prod.yml b/.github/workflows/publish_pypi_prod.yml
index 5b0ffaf..cfffc42 100644
--- a/.github/workflows/publish_pypi_prod.yml
+++ b/.github/workflows/publish_pypi_prod.yml
@@ -32,6 +32,6 @@ jobs:
           path: dist
       - name: Publish distribution 📦 to PyPI
         # if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           sign-artifacts: true
diff --git a/.github/workflows/publish_pypi_test.yml b/.github/workflows/publish_pypi_test.yml
index 56d9d49..93761bb 100644
--- a/.github/workflows/publish_pypi_test.yml
+++ b/.github/workflows/publish_pypi_test.yml
@@ -27,7 +27,7 @@ jobs:
           name: dist
           path: dist
       - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           repository-url: https://test.pypi.org/legacy/
           sign-artifacts: true