diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index da52a85..fcd1cc6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,6 @@
 ---
 name: CI
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -35,11 +34,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Release Setup
         id: release-setup
-        uses: LizardByte/actions/actions/release_setup@v2026.203.15239
+        uses: LizardByte/actions/actions/release_setup@ce5d2be83ba14f30062762579f46d074892c5dd0  # v2026.203.15239
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -47,13 +46,15 @@ jobs:
     name: Build
     needs:
       - release-setup
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.12"
 
@@ -92,28 +93,30 @@ jobs:
             -o junit_family=legacy \
             tests
 
-      - name: Upload test results
+      - name: Upload test coverage
         # any except canceled or skipped
         if: >-
           always() &&
           (steps.test.outcome == 'success' || steps.test.outcome == 'failure') &&
           startsWith(github.repository, 'LizardByte/')
-        uses: codecov/test-results-action@v1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           fail_ci_if_error: true
-          files: junit.xml
+          report_type: coverage
           token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
 
-      - name: Upload coverage
+      - name: Upload test results
         # any except canceled or skipped
         if: >-
           always() &&
           (steps.test.outcome == 'success' || steps.test.outcome == 'failure') &&
           startsWith(github.repository, 'LizardByte/')
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           fail_ci_if_error: true
+          files: junit.xml
+          report_type: test_results
           token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true
 
@@ -147,10 +150,11 @@ jobs:
       - release-setup
       - build
       - build-docker
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: Create/Update GitHub Release
-        uses: LizardByte/actions/actions/release_create@v2026.203.15239
+        uses: LizardByte/actions/actions/release_create@ce5d2be83ba14f30062762579f46d074892c5dd0  # v2026.203.15239
         with:
           allowUpdates: true
           artifacts: ''