diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml
index ea893b9a8..8ec495d84 100644
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@@ -60,11 +60,11 @@ jobs:
           release-tag: latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
 
     # Setup auth if not a PR.
     - if: github.event_name != 'pull_request'
-      uses: google-github-actions/setup-gcloud@v0.5.0
+      uses: google-github-actions/setup-gcloud@37a9333538a8350a13fe9d8fa03e0d4742a1ad2e # v0.5.0
       with:
         service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
         project_id: kaniko-project
@@ -73,11 +73,11 @@ jobs:
       run: gcloud auth configure-docker
 
     # Build and push with Docker.
-    - uses: docker/setup-qemu-action@v1
+    - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1
       with:
         platforms: ${{ matrix.platforms }}
-    - uses: docker/setup-buildx-action@v1
-    - uses: docker/build-push-action@v2
+    - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1
+    - uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b # v2
       id: build-and-push
       with:
         context: .
@@ -91,7 +91,7 @@ jobs:
 
     # Sign images if not a PR.
     - if: github.event_name != 'pull_request'
-      uses: sigstore/cosign-installer@main
+      uses: sigstore/cosign-installer@b4f55743d10d066fee1de1cf0fa26069700c0195 # main
       with:
         cosign-release: 'v1.4.1'
     - if: github.event_name != 'pull_request'
@@ -105,7 +105,7 @@ jobs:
 
     # If a tag push, use crane to add more tags.
     - if: startsWith(github.ref, 'refs/tags/v')
-      uses: imjasonh/setup-crane@v0.1
+      uses: imjasonh/setup-crane@5146f708a817ea23476677995bf2133943b9be0b # v0.1
     - if: startsWith(github.ref, 'refs/tags/v')
       name: Apply release tags
       run: |
diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
index e9da2c3a2..699f05a69 100644
--- a/.github/workflows/integration-tests.yaml
+++ b/.github/workflows/integration-tests.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ['main']
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest
@@ -22,11 +25,11 @@ jobs:
         - k8s-executor-build-push integration-test-k8s
 
     steps:
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
       with:
         go-version: 1.17
-    - uses: actions/checkout@v3
-    - uses: docker/setup-buildx-action@v1
+    - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
+    - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1
 
     - run: make install-container-diff minikube-setup
     - run: make ${{ matrix.make-target }}
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
index b5e3df0f0..b6a71d065 100644
--- a/.github/workflows/unit-tests.yaml
+++ b/.github/workflows/unit-tests.yaml
@@ -6,13 +6,16 @@ on:
   pull_request:
     branches: ['main']
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
       with:
         go-version: 1.17
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
 
     - run: make test