diff --git a/.github/workflows/review-app.yml b/.github/workflows/review-app.yml
index bc045464fe..7629beb583 100644
--- a/.github/workflows/review-app.yml
+++ b/.github/workflows/review-app.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [labeled, unlabeled, closed]
 
+permissions: {}
+
 jobs:
   manage-review-app:
     runs-on: ubuntu-latest
@@ -17,11 +19,13 @@ jobs:
       (github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'review-app'))
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Check if user is an Ably organization member
         if: github.event.action == 'labeled' && github.event.label.name == 'review-app'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.ABLY_ORG_TOKEN }}
           script: |
@@ -56,7 +60,7 @@ jobs:
             }
 
       - name: Manage Heroku Review App
-        uses: fastruby/manage-heroku-review-app@v1.3
+        uses: fastruby/manage-heroku-review-app@9fa49f0320460f278c3687bc348dd0cbb18555dc # v1.3
         with:
           action: ${{ (github.event.action == 'labeled' && github.event.label.name == 'review-app' && 'create') || 'destroy' }}
         env: