diff --git a/.github/workflows/add-to-project.yaml b/.github/workflows/add-to-project.yaml
index e3c0b42..3e7d97c 100644
--- a/.github/workflows/add-to-project.yaml
+++ b/.github/workflows/add-to-project.yaml
@@ -17,5 +17,5 @@ on:
 jobs:
   call-workflow-add-to-project:
     name: Call workflow to add issue to project
-    uses: bufbuild/base-workflows/.github/workflows/add-to-project.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/add-to-project.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
     secrets: inherit
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a502010..4c4bf59 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -23,13 +23,13 @@ jobs:
       # Shared env variables for all the tests
       UV_RESOLUTION: "${{ matrix.resolution }}"
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
           # We use this to install `buf`, and the `buf` version is controlled by the Makefile.
           cache-dependency-path: Makefile
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
         with:
           python-version: ${{ matrix.python-version }}
       - run: make install
diff --git a/.github/workflows/emergency-review-bypass.yaml b/.github/workflows/emergency-review-bypass.yaml
index e40068f..ce29a9b 100644
--- a/.github/workflows/emergency-review-bypass.yaml
+++ b/.github/workflows/emergency-review-bypass.yaml
@@ -9,5 +9,5 @@ jobs:
   approve:
     name: Approve
     if: github.event.label.name == 'Emergency Bypass Review'
-    uses: bufbuild/base-workflows/.github/workflows/emergency-review-bypass.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/emergency-review-bypass.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
     secrets: inherit
diff --git a/.github/workflows/notify-approval-bypass.yaml b/.github/workflows/notify-approval-bypass.yaml
index 384db80..210ecd1 100644
--- a/.github/workflows/notify-approval-bypass.yaml
+++ b/.github/workflows/notify-approval-bypass.yaml
@@ -10,5 +10,5 @@ permissions:
 jobs:
   notify:
     name: Notify
-    uses: bufbuild/base-workflows/.github/workflows/notify-approval-bypass.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/notify-approval-bypass.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
     secrets: inherit
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
index b114603..1711004 100644
--- a/.github/workflows/pr-title.yaml
+++ b/.github/workflows/pr-title.yaml
@@ -15,4 +15,4 @@ on:
       - synchronize
 jobs:
   lint:
-    uses: bufbuild/base-workflows/.github/workflows/pr-title.yaml@main
+    uses: bufbuild/base-workflows/.github/workflows/pr-title.yaml@7be6b0f6700ab0c62145c2b4ca2efd103bfc4895 # main
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 74e45d5..c6eb7d9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,18 +12,18 @@ jobs:
       name: release
     steps:
       - name: Checkout source
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Set VERSION variable from tag
         run: |
           VERSION=${{github.head_ref}}
           echo "VERSION=${VERSION##*/}" >> $GITHUB_ENV
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       - name: Build release
         run: |
           uv build
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: package
           path: dist/
@@ -39,15 +39,15 @@ jobs:
     needs: build
     steps:
       - name: Checkout source
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Download built artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: package
           path: dist
 
       - name: Publish on PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1