diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 92597f9..a794a26 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -1,7 +1,8 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    'helpers:pinGitHubActionDigests'
   ],
   "reviewers": ["o-liver", "srinikitha09", "kaylinche"],
   "dockerfile": {
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7f959a6..80b55c6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build
       run: |
         docker build .
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 055954e..107e983 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Haskell Dockerfile Linter
       uses: docker://cdssnc/docker-lint-github-action
       with:
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 954ae9a..e2d67ff 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -12,7 +12,7 @@ jobs:
   push:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Run CI
       run: |
         echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_USER }} --password-stdin
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1cb4c21..96028f0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Prepare Release
         run: |
           CURRENT_VERSION_LONG=$(curl --silent "https://api.github.com/repos/SAP/devops-docker-neo-cli/releases" | jq -r '.[].tag_name' | head -n1)
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
index b4606a4..2e51620 100644
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@@ -6,6 +6,6 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@v1.1
+      uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0