diff --git a/.github/workflows/rust.yaml b/.github/workflows/rust.yaml
index 0c2a571..a1ec9b7 100644
--- a/.github/workflows/rust.yaml
+++ b/.github/workflows/rust.yaml
@@ -26,23 +26,23 @@ jobs:
           - rust: aarch64-unknown-linux-musl
             docker: linux/arm64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
-      - uses: rui314/setup-mold@v1
+      - uses: rui314/setup-mold@65ebd6e8eaa076198082114e4a8ab5c209b13ec4 # v1
 
       - uses: dtolnay/rust-toolchain@stable
         with:
           targets: ${{ matrix.target.rust }}
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2
         with:
           cache-all-crates: "true"
           cache-on-failure: "true"
 
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3
 
       # nix dev shell setup
       - uses: DeterminateSystems/nix-installer-action@main
-      - uses: cachix/cachix-action@v12
+      - uses: cachix/cachix-action@6a9a34cdd93d0ae4b4b59fd678660efb08109f2f # v12
         with: { name: "nix-community" }
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
@@ -55,7 +55,7 @@ jobs:
           "cargo build --target ${{ matrix.target.rust }} --release"
 
       - name: Login to Docker registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
         with:
           registry: lhr.ocir.io
           username: ${{ secrets.OCIR_USERNAME }}
@@ -63,7 +63,7 @@ jobs:
 
       - name: Docker meta tags generator
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
         # use correct sha for pr commits
         env:
           DOCKER_METADATA_PR_HEAD_SHA: true
@@ -80,7 +80,7 @@ jobs:
 
       - name: Build Dockerfile
         id: build-and-push-action-1
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3
         with:
           context: .
           file: Dockerfile
@@ -120,7 +120,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           token: ${{ secrets.WRITE_BACK_TO_REPO_TOKEN }}