diff --git a/.github/workflows/cerberus-integration.yml b/.github/workflows/cerberus-integration.yml
index b6b8884e..666b5e45 100644
--- a/.github/workflows/cerberus-integration.yml
+++ b/.github/workflows/cerberus-integration.yml
@@ -95,7 +95,7 @@ jobs:
       # Try registry first (fast), fallback to artifact if registry fails
       - name: Pull Docker image from registry
         id: pull_image
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
         with:
           timeout_minutes: 5
           max_attempts: 3
diff --git a/.github/workflows/crowdsec-integration.yml b/.github/workflows/crowdsec-integration.yml
index 590c423b..6ea05b29 100644
--- a/.github/workflows/crowdsec-integration.yml
+++ b/.github/workflows/crowdsec-integration.yml
@@ -95,7 +95,7 @@ jobs:
       # Try registry first (fast), fallback to artifact if registry fails
       - name: Pull Docker image from registry
         id: pull_image
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
         with:
           timeout_minutes: 5
           max_attempts: 3
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 806dd29d..36b1be13 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -197,7 +197,7 @@ jobs:
       - name: Build and push Docker image (with retry)
         if: steps.skip.outputs.skip_build != 'true'
         id: build-and-push
-        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
         with:
           timeout_minutes: 25
           max_attempts: 3
diff --git a/.github/workflows/rate-limit-integration.yml b/.github/workflows/rate-limit-integration.yml
index 47c79c30..4a0ce173 100644
--- a/.github/workflows/rate-limit-integration.yml
+++ b/.github/workflows/rate-limit-integration.yml
@@ -95,7 +95,7 @@ jobs:
       # Try registry first (fast), fallback to artifact if registry fails
       - name: Pull Docker image from registry
         id: pull_image
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
         with:
           timeout_minutes: 5
           max_attempts: 3
diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index aadb2d1c..9d9cee01 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -234,7 +234,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@ab5b0e3aabf4de044f07a63754c2110d3ef2df38
+        uses: github/codeql-action/upload-sarif@f959778b39f110f7919139e242fa5ac47393c877
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
diff --git a/.github/workflows/waf-integration.yml b/.github/workflows/waf-integration.yml
index 4cc233be..f30e0c5e 100644
--- a/.github/workflows/waf-integration.yml
+++ b/.github/workflows/waf-integration.yml
@@ -95,7 +95,7 @@ jobs:
       # Try registry first (fast), fallback to artifact if registry fails
       - name: Pull Docker image from registry
         id: pull_image
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
         with:
           timeout_minutes: 5
           max_attempts: 3