diff --git a/action.yml b/action.yml
index 45781bf..5e90eda 100644
--- a/action.yml
+++ b/action.yml
@@ -22,7 +22,7 @@ runs:
   steps:
     - name: "Import Secrets"
       id: "import-secrets"
-      uses: "https://github.com/hashicorp/vault-action@v3"
+      uses: "https://github.com/hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c" # v3
       with:
         url: "https://vault.w9r.dev"
         method: "approle"
@@ -56,13 +56,13 @@ runs:
         touch /root/.jreleaser/config.properties
 
     - name: "Install syft"
-      uses: "https://github.com/anchore/sbom-action/download-syft@v0"
+      uses: "https://github.com/anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75" # v0
       id: "install_syft"
       with:
         syft-version: "v1.18.1"
 
     - name: "Setup Java and Maven"
-      uses: "https://github.com/s4u/setup-maven-action@v1.18.0"
+      uses: "https://github.com/s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1" # v1.18.0
       with:
         checkout-fetch-depth: 0
         java-distribution: "temurin"
@@ -136,7 +136,7 @@ runs:
 
     - name: "Import Commit Signing GPG key"
       id: "import-gpg"
-      uses: "https://github.com/crazy-max/ghaction-import-gpg@v6"
+      uses: "https://github.com/crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5" # v6
       with:
         gpg_private_key: "${{ env.JRELEASER_GPG_SECRET_KEY }}"
         passphrase: "${{ env.JRELEASER_GPG_PASSPHRASE }}"