diff --git a/.github/workflows/caddy-update.yml b/.github/workflows/caddy-update.yml
index 008c486..966789e 100644
--- a/.github/workflows/caddy-update.yml
+++ b/.github/workflows/caddy-update.yml
@@ -40,7 +40,7 @@ jobs:
         cat ./Dockerfile
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v8
+      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676
       with:
         commit-message: caddy-update automated change
         signoff: true
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 5b63050..206084e 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -19,20 +19,20 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
       - name: Login to DockerHub
-        uses: docker/login-action@v3 
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef 
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build container image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           push: true
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
new file mode 100644
index 0000000..658d8b5
--- /dev/null
+++ b/.github/workflows/lint-yaml.yml
@@ -0,0 +1,39 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+#
+# SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: MIT
+
+name: Lint YAML
+
+on: pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  yaml-lint:
+    runs-on: ubuntu-latest
+
+    name: yaml
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: GitHub action templates lint
+        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
+        with:
+          file_or_dir: .github/workflows
+          config_data: |
+            line-length: warning
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1
+
+      - name: Check GitHub actions
+        run: uvx zizmor --min-severity medium .github/workflows/*.yml
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index 22b7798..be2f880 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
     - uses: actions/checkout@v6
     - name: Run Shellcheck
-      uses: ludeeus/action-shellcheck@2.0.0
+      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
       with:
         check_together: 'yes'
       env:
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 0000000..375bb60
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  excessive-permissions:
+    disable: true
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin