diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 000000000..c75e875a0
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
index fcc0efd1c..856fbefe1 100644
--- a/.github/workflows/npm-release.yml
+++ b/.github/workflows/npm-release.yml
@@ -20,12 +20,12 @@ jobs:
       id-token: write # to enable use of OIDC for npm provenance
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20.x
           cache: 'npm'
@@ -61,7 +61,7 @@ jobs:
       - name: Publish to NPM
         if: env.changesets_found == 'true'
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@06245a4e0a36c064a573d4150030f5ec548e4fcc # v1.4.10
         with:
           publish: npx changeset publish
         env:
diff --git a/.github/workflows/snapit.yml b/.github/workflows/snapit.yml
index ce78eb4d2..0f94d527a 100644
--- a/.github/workflows/snapit.yml
+++ b/.github/workflows/snapit.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       # This action can be executed by users with write permission to this repo
       - name: Checkout current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Force snapshot
         run: |
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index b2fbc2226..ccddae5d0 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -11,13 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Setup node and npm
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
       with:
         cache: npm
     - name: NPM install
       run: npm ci
       shell: bash
     - run: npm test
-