diff --git a/.github/workflows/.build.yaml b/.github/workflows/.build.yaml
index 56c0639d..997ea1a9 100644
--- a/.github/workflows/.build.yaml
+++ b/.github/workflows/.build.yaml
@@ -33,7 +33,7 @@ jobs:
           sudo apt install unzip curl cmake pkg-config -y
 
       - id: melange
-        uses: chainguard-dev/actions/melange-build@main
+        uses: chainguard-dev/actions/melange-build@2cadca168a422313df94f6169691a86498ae51b1 # main
         with:
           multi-config: ${{ inputs.melange-config }}
           empty-workspace: false
@@ -42,7 +42,7 @@ jobs:
           archs: ${{ matrix.arch }}
 
       - name: 'Upload built packages archive to Github Artifacts'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: ${{ inputs.image }}-${{ matrix.arch }}
           path: ./packages
@@ -54,6 +54,11 @@ jobs:
     needs: build
     if: always() && (needs.build.result == 'success' || needs.build.result == 'skipped')
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       # TODO: Replace this with custom wolfi image
@@ -61,26 +66,26 @@ jobs:
           sudo apt update -y && \
           sudo apt install unzip curl git -y
 
-      - uses: hashicorp/setup-terraform@v3
+      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
         with:
           terraform_version: '1.5.*'
           terraform_wrapper: false
 
       # Setup melange
-      - uses: chainguard-dev/actions/setup-melange@main
+      - uses: chainguard-dev/actions/setup-melange@2cadca168a422313df94f6169691a86498ae51b1 # main
         if: inputs.melange-config != ''
 
       # Fetch the build stages back down
       - name: 'Download package archives'
         if: inputs.melange-config != ''
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: ${{ inputs.image }}-aarch64
           path: ./packages
 
       - name: 'Download package archives'
         if: inputs.melange-config != ''
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: ${{ inputs.image }}-x86_64
           path: ./packages
@@ -101,7 +106,7 @@ jobs:
           done
 
       # Setup local registry
-      - uses: chainguard-dev/actions/setup-registry@main
+      - uses: chainguard-dev/actions/setup-registry@2cadca168a422313df94f6169691a86498ae51b1 # main
         if: inputs.registry == ''
         with:
           port: 5000