diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b9a4fc25..ad21a7ae 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,6 +2,8 @@ version: 2
 updates:
   - package-ecosystem: github-actions
     directory: "/"
+    cooldown:
+      default-days: 42
     schedule:
       interval: "monthly"
     groups:
@@ -10,6 +12,8 @@ updates:
           - "*"
   - package-ecosystem: cargo
     directory: "/"
+    cooldown:
+      default-days: 42
     schedule:
       interval: "monthly"
     groups:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 137575fe..88058bc1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -107,7 +107,7 @@ jobs:
       - if: contains(matrix.args, 'sdist')
         run: pip install --no-dependencies target/wheels/*.tar.gz
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: wheels-${{ matrix.name }}
           path: target/wheels
@@ -117,7 +117,7 @@ jobs:
     steps:
       - uses: mhils/workflows/checkout@5b6540d578f48644ffa5e955cedadc81034cb7d8  # v18.0
       - if: ${{ !startsWith(github.ref, 'refs/tags/') }}  # harden against cache poisoning
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         id: cache-app
         with:
           path: mitmproxy-macos/redirector/dist/
@@ -132,7 +132,7 @@ jobs:
           APPLE_PROVISIONING_PROFILE_EXT: ${{ secrets.APPLE_PROVISIONING_PROFILE_EXT }}
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: macos-app
           path: mitmproxy-macos/redirector/dist/
@@ -148,7 +148,7 @@ jobs:
       - run: cargo build --release --package windows-redirector
 
       - run: python -m build --wheel ./mitmproxy-windows --outdir target/wheels/
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: wheels-os-windows
           path: target/wheels
@@ -168,13 +168,13 @@ jobs:
           cargo build --release --package macos-certificate-truster --target x86_64-apple-darwin
           cargo build --release --package macos-certificate-truster --target aarch64-apple-darwin
           lipo -create -output target/release/macos-certificate-truster target/x86_64-apple-darwin/release/macos-certificate-truster target/aarch64-apple-darwin/release/macos-certificate-truster
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: macos-app
           path: mitmproxy-macos/redirector/dist/
 
       - run: python -m build --wheel ./mitmproxy-macos --outdir target/wheels/
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: wheels-os-macos
           path: target/wheels
@@ -200,7 +200,7 @@ jobs:
         working-directory: ./mitmproxy-linux
       - run: test -f target/wheels/*-py3-none-*.whl  # ensure we have a universal wheel
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: wheels-os-${{ matrix.name }}
           path: target/wheels
@@ -211,7 +211,7 @@ jobs:
     steps:
       - uses: mhils/workflows/checkout@5b6540d578f48644ffa5e955cedadc81034cb7d8  # v18.0
       - uses: ./.github/actions/setup
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: wheels-os-linux-x86_64
           path: target/wheels
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bbf9b59a..30e51353 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -34,7 +34,7 @@ jobs:
 
       - run: pdoc -o docs/ mitmproxy_rs
 
-      - uses: actions/upload-pages-artifact@v5
+      - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
         with:
           path: docs/
 
@@ -52,4 +52,4 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 553d39c5..c95cff90 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,11 +20,11 @@ jobs:
     environment: deploy
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       with:
         token: ${{ secrets.GH_PUSH_TOKEN }}  # this token works to push to the protected main branch.
         persist-credentials: true  # needed by release tool
-    - uses: mhils/releasetool@v1
+    - uses: mhils/releasetool@ba705fb9672350ee29b1359bbf5710c16672cd41 # v1
     - run: ./.github/scripts/release
       env:
         PROJECT_VERSION: ${{ inputs.version }}