diff --git a/.github/workflows/build-peerdb-catalog-pgsetup.yml b/.github/workflows/build-peerdb-catalog-pgsetup.yml
index 8d67419..54358e2 100644
--- a/.github/workflows/build-peerdb-catalog-pgsetup.yml
+++ b/.github/workflows/build-peerdb-catalog-pgsetup.yml
@@ -19,10 +19,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639 # v4
       with:
         go-version: '1.24.4'
         cache-dependency-path: peerdb-catalog/pgSetup/go.sum
diff --git a/.github/workflows/chart-check-docs.yml b/.github/workflows/chart-check-docs.yml
index 50fc4b0..21e02e8 100644
--- a/.github/workflows/chart-check-docs.yml
+++ b/.github/workflows/chart-check-docs.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Check docs
         run: |
diff --git a/.github/workflows/peerdb-charts-release-pushed.yml b/.github/workflows/peerdb-charts-release-pushed.yml
index 1072bce..ff13616 100644
--- a/.github/workflows/peerdb-charts-release-pushed.yml
+++ b/.github/workflows/peerdb-charts-release-pushed.yml
@@ -18,7 +18,7 @@ jobs:
         chartName: [peerdb, peerdb-catalog]
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Call release-charts.yml
         run: |
           gh workflow run release-charts.yml \
diff --git a/.github/workflows/release-charts.yml b/.github/workflows/release-charts.yml
index 4f3b9bd..3f05e65 100644
--- a/.github/workflows/release-charts.yml
+++ b/.github/workflows/release-charts.yml
@@ -26,20 +26,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           path: 'src'
           fetch-depth: 0
           submodules: true
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
         with:
           path: 'dest'
           ref: 'gh-pages'
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
 
       - name: Package Helm Charts
         shell: bash
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index ecb9ec5..c8bc2f3 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -20,6 +20,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update-peerdb-release-version.yml b/.github/workflows/update-peerdb-release-version.yml
index cbdda26..adfb2de 100644
--- a/.github/workflows/update-peerdb-release-version.yml
+++ b/.github/workflows/update-peerdb-release-version.yml
@@ -37,7 +37,7 @@ jobs:
         run: |
           echo "STABLE_PEERDB_VERSION=stable-${{ env.PEERDB_VERSION }}" >> $GITHUB_ENV
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           token: '${{ secrets.DEVOPS_BOT_GITHUB_TOKEN }}'
       - name: Update PeerDB version
@@ -51,7 +51,7 @@ jobs:
           git diff --exit-code || echo "changes=true" >> $GITHUB_OUTPUT
       - name: Get next version
         if: ${{ steps.update-peerdb-version.outputs.changes == 'true' }}
-        uses: reecetech/version-increment@2024.10.1
+        uses: reecetech/version-increment@a29aa752dc3b8118a2dc2ed93faf0e95a73a9c7e # 2024.10.1
         id: version
         with:
           scheme: semver
diff --git a/peerdb-catalog/values.yaml b/peerdb-catalog/values.yaml
index 3f7edb7..fc99f2e 100644
--- a/peerdb-catalog/values.yaml
+++ b/peerdb-catalog/values.yaml
@@ -96,7 +96,7 @@ schema:
       init:
         image:
           repository: golang
-          tag: alpine
+          tag: alpine@sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd
       schemaCreate:
         repository: alpine
         tag: latest
@@ -110,7 +110,7 @@ schema:
   test:
     image:
       repository: postgres
-      tag: latest
+      tag: latest@sha256:073e7c8b84e2197f94c8083634640ab37105effe1bc853ca4d5fbece3219b0e8
   resources:
     requests:
       cpu: 0.5
@@ -128,7 +128,7 @@ temporal:
     image:
       repository: temporalio/admin-tools
       # -- This should be set from the helm values for temporal dependency from the main chart
-      tag: 1.24.2.1-tctl-1.18.1-cli-0.13.2
+      tag: 1.24.2.1-tctl-1.18.1-cli-0.13.2@sha256:365697b58d963d9dacdfd7b6135c64d6981c3d4f064da1afe2edb030aa49af6f
       pullPolicy: IfNotPresent
 
 
diff --git a/peerdb/values.yaml b/peerdb/values.yaml
index aca6a83..35ed733 100644
--- a/peerdb/values.yaml
+++ b/peerdb/values.yaml
@@ -343,7 +343,7 @@ authentication:
     annotations: {}
   image:
     repository: nginx
-    tag: latest
+    tag: latest@sha256:8adbdcb969e2676478ee2c7ad333956f0c8e0e4c5a7463f4611d7a2e7a7ff5dc
     pullPolicy: Always
   resources:
     requests: