diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yml
similarity index 78%
rename from .github/workflows/ci.yaml
rename to .github/workflows/ci.yml
index 9af88cb..42d3c76 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yml
@@ -2,7 +2,7 @@ name: Github CI
 
 on:
   push:
-    branches: ['main']
+    branches: ["main"]
   pull_request:
 
 jobs:
@@ -11,13 +11,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.10']
+        python-version: ["3.10"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -31,14 +31,14 @@ jobs:
           poetry install
 
       - name: Run Lint
-        uses: astral-sh/ruff-action@v3
+        uses: astral-sh/ruff-action@v4.0.0
 
       - name: Run tests with coverage
         run: |
           poetry run pytest --cov=src/ --cov-report=xml --no-cov-on-fail
 
       - name: Send coverage to CodeCov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yml
similarity index 81%
rename from .github/workflows/commitlint.yaml
rename to .github/workflows/commitlint.yml
index 29964d0..5c5fa1a 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yml
@@ -2,7 +2,7 @@ name: Commitlint
 
 on:
   push:
-    branches: ['main']
+    branches: ["main"]
   pull_request:
 
 jobs:
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Commitlint
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Run commitlint
         # uses: opensource-nepal/commitlint@v1
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index d3eecf8..dd74da9 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -1,6 +1,6 @@
 on:
   push:
-    branches: ['main']
+    branches: ["main"]
 
 name: release-please
 
@@ -8,6 +8,8 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     permissions:
+      # This job has the highest privileges, so always pin actions to a specific commit hash.
+      # Ensure the referenced commit hash is verified and free from known vulnerabilities.
       id-token: write # for PYPI release
       contents: write
       pull-requests: write
@@ -15,9 +17,9 @@ jobs:
     steps:
       - name: Release
         id: release
-        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+        uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: ${{ steps.release.outputs.release_created }}
 
       - name: tag major and minor versions
@@ -32,10 +34,10 @@ jobs:
           git push origin v${{ steps.release.outputs.major }} -f
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         if: ${{ steps.release.outputs.release_created }}
         with:
-          python-version: '3.x'
+          python-version: "3.10"
 
       - name: Install dependencies
         if: ${{ steps.release.outputs.release_created }}
@@ -49,4 +51,4 @@ jobs:
 
       - name: Publish package
         if: ${{ steps.release.outputs.release_created }}
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
diff --git a/action.yml b/action.yml
index e397c54..bdeb906 100644
--- a/action.yml
+++ b/action.yml
@@ -1,14 +1,14 @@
-name: 'Conventional Commitlint'
-description: 'A GitHub Action to check conventional commit message'
+name: "Conventional Commitlint"
+description: "A GitHub Action to check conventional commit message"
 
 inputs:
   fail_on_error:
     description: Whether to fail the workflow if commit messages don't follow conventions.
-    default: 'true'
+    default: "true"
     required: false
   verbose:
     description: Verbose output.
-    default: 'false'
+    default: "false"
     required: false
   token:
     description: Token for fetching commits using Github API.
@@ -24,16 +24,18 @@ outputs:
     value: ${{ steps.commitlint.outputs.exit_code }}
 
 branding:
-  color: 'red'
-  icon: 'git-commit'
+  color: "red"
+  icon: "git-commit"
 
 runs:
-  using: 'composite'
+  using: "composite"
   steps:
     - name: Install Python
-      uses: actions/setup-python@v5.1.0
+      # Use a specific version for action dependencies
+      # A commitlint action version should use fixed dependency versions (not mutable versions)
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
-        python-version: '3.10'
+        python-version: "3.10"
 
     - name: Commitlint Action
       id: commitlint