diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 7630dda..e66bbcd 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -24,7 +24,7 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Run actionlint
         env:
diff --git a/.github/workflows/auto-release-notes.yml b/.github/workflows/auto-release-notes.yml
index 4ddca8b..fe2d457 100644
--- a/.github/workflows/auto-release-notes.yml
+++ b/.github/workflows/auto-release-notes.yml
@@ -17,7 +17,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index c80ef54..33972ff 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - name: Dependency Review
         uses: actions/dependency-review-action@v5
         with:
diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
index c22a188..361476c 100644
--- a/.github/workflows/secrets-scan.yml
+++ b/.github/workflows/secrets-scan.yml
@@ -18,10 +18,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
       - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v3
+        uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/skill-validate.yml b/.github/workflows/skill-validate.yml
index 66e0539..3607b42 100644
--- a/.github/workflows/skill-validate.yml
+++ b/.github/workflows/skill-validate.yml
@@ -28,7 +28,7 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       # PyYAML is NOT guaranteed to be preinstalled on the runner image, so set
       # up Python explicitly and install the dependency to keep validation green.
diff --git a/.github/workflows/weekly-triage.yml b/.github/workflows/weekly-triage.yml
index bfb857d..e1f39ec 100644
--- a/.github/workflows/weekly-triage.yml
+++ b/.github/workflows/weekly-triage.yml
@@ -21,7 +21,7 @@ jobs:
       contents: read
       issues: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Fetch open issues
         id: issues