diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml
index 856b064..b611d14 100644
--- a/.github/workflows/assemble.yml
+++ b/.github/workflows/assemble.yml
@@ -7,20 +7,25 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       deployments: write
       id-token: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
 
       - name: Read Tool Versions
         id: tool-versions
         run: echo "::set-output name=nodejs::$(sed -nr 's/nodejs ([0-9]+)/\1/p' .tool-versions)"
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: ${{ steps.tool-versions.outputs.nodejs }}
 
@@ -38,13 +43,13 @@ jobs:
       - name: Configure AWS Credentials
         # at some point AWS will release a `v2` of this action. See:
         # https://github.com/aws-actions/configure-aws-credentials/issues/489#issuecomment-1278145876
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-features
           role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
 
-      - uses: ably/sdk-upload-action@v2
+      - uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2
         with:
           sourcePath: render/output
           githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 675e917..3db266d 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -6,17 +6,23 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
 
       - name: Read Tool Versions
         id: tool-versions
         run: echo "::set-output name=nodejs::$(sed -nr 's/nodejs ([0-9]+)/\1/p' .tool-versions)"
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: ${{ steps.tool-versions.outputs.nodejs }}
 
diff --git a/.github/workflows/publish-core.yml b/.github/workflows/publish-core.yml
index d0c4787..ee4c985 100644
--- a/.github/workflows/publish-core.yml
+++ b/.github/workflows/publish-core.yml
@@ -3,17 +3,23 @@ name: Publish Core
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          persist-credentials: false
 
       - name: Read Tool Versions
         id: tool-versions
         run: echo "::set-output name=nodejs::$(sed -nr 's/nodejs ([0-9]+)/\1/p' .tool-versions)"
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
         with:
           node-version: ${{ steps.tool-versions.outputs.nodejs }}
           registry-url: https://registry.npmjs.org/
diff --git a/.github/workflows/sdk-features.yml b/.github/workflows/sdk-features.yml
index 0e658f8..a14c1fc 100644
--- a/.github/workflows/sdk-features.yml
+++ b/.github/workflows/sdk-features.yml
@@ -13,30 +13,34 @@ on:
       ABLY_AWS_ACCOUNT_ID_SDK:
         required: true
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       deployments: write
       id-token: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
-      - uses: ably/features-action@v1
+      - uses: ably/features-action@ff8a5737341795275572b1c6ce37d9169a7b564a # v1
         id: features
 
       - name: Configure AWS Credentials
         # at some point AWS will release a `v2` of this action. See:
         # https://github.com/aws-actions/configure-aws-credentials/issues/489#issuecomment-1278145876
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-${{ inputs.repository-name }}
           role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
 
-      - uses: ably/sdk-upload-action@v2
+      - uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2
         with:
           sourcePath: ${{ steps.features.outputs.matrix-path }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}