diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 16bdaa5c..41be41de 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -25,31 +25,33 @@ env:
 
 jobs:
 
-  check-ext-build:
-    name: Check dependabot/external build
+  pre-checks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: Activiti/Activiti/.github/actions/check-ext-build@8.0.0-alpha.10
-
-  pre-commit:
-    needs: check-ext-build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@v3.2.1
-      - uses: bridgecrewio/checkov-action@v12.1839.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Check dependabot build
+        uses: Activiti/Activiti/.github/actions/check-ext-build@4db084fcbb13a288f3b66ac08fc50a5ab7f144ed # 8.0.0-alpha.10
+      - name: Setup Helm Docs
+        uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
+      - name: Run Checkov
+        uses: bridgecrewio/checkov-action@e1bb78184f5dd3690fb1089d6c4f51295f9dff48 # v12.1839.0
         with:
           framework: kubernetes
-      - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v3.2.1
+      - name: pre-commit
+        uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@8c2a3691aa49cd105f62c2983cda3089b82afe89 # v4.0.0
+        with:
+          skip_checkout: true
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b35f285b9bb7e80de0967367cee66d3b6d50ceca # v3.0.1
 
   build:
     runs-on: ubuntu-latest
-    needs: pre-commit
+    needs: pre-checks
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Build
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-build-chart@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-build-chart@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-dir: ${{ env.CHART_DIR }}
 
@@ -65,23 +67,23 @@ jobs:
     outputs:
       version: ${{ steps.calculate-next-internal-version.outputs.next-prerelease }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Parse next release
         id: helm-parse-next-release
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-parse-next-release@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-parse-next-release@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-dir: ${{ env.CHART_DIR }}
 
       - id: calculate-next-internal-version
         name: Calculate next internal release
-        uses: Alfresco/alfresco-build-tools/.github/actions/calculate-next-internal-version@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/calculate-next-internal-version@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           next-version: ${{ steps.helm-parse-next-release.outputs.next-release }}
 
       - id: helm-release-and-publish
         name: Release and publish helm chart
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-release-and-publish@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-release-and-publish@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           version: ${{ steps.calculate-next-internal-version.outputs.next-prerelease }}
           chart-dir: ${{ env.CHART_DIR }}
@@ -101,15 +103,15 @@ jobs:
       VERSION: ${{ needs.publish.outputs.version }}
       DEVELOPMENT_BRANCH: ${{ github.ref_name }}
     steps:
-      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@develop
+      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@000995bdf3eae49f78ff39c462226208039ef1a8 # 8.1.0
         with:
           chart-name: ${{ env.CHART_NAME }}
           version: ${{ env.VERSION }}
           helm-repo-name:  ${{ env.HELM_REPO_NAME }}
           helm-repo-url: ${{ env.HELM_REPO_BASE_URL }}
-      - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@v3.2.1
-      - uses: Alfresco/alfresco-build-tools/.github/actions/jx-updatebot-pr@v3.2.1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-helm-docs@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
+      - uses: Alfresco/alfresco-build-tools/.github/actions/jx-updatebot-pr@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         env:
           GH_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
         with:
@@ -129,7 +131,7 @@ jobs:
     if: always() && failure() && github.event_name == 'push'
     steps:
       - name: Slack Notification
-        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           channel-id: 'eng-hxp-studio-activiti-gh-notifs'
           token: ${{ secrets.SLACK_NOTIFICATION_BOT_TOKEN }}
diff --git a/.github/workflows/rc.yml b/.github/workflows/rc.yml
index 97f6841c..f0259ed3 100644
--- a/.github/workflows/rc.yml
+++ b/.github/workflows/rc.yml
@@ -20,17 +20,17 @@ jobs:
     env:
       VERSION: ${{ github.ref_name }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - id: helm-package-chart
         name: Package Helm chart
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-package-chart@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-package-chart@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-dir: ${{ env.CHART_DIR }}
 
       - id: helm-publish-chart
         name: Publish Helm chart
-        uses: Alfresco/alfresco-build-tools/.github/actions/helm-publish-chart@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/helm-publish-chart@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           chart-package: ${{ steps.helm-package-chart.outputs.package-file-path }}
           helm-charts-repo: ${{ env.HELM_REPO }}
@@ -40,7 +40,7 @@ jobs:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           git-username: ${{ secrets.BOT_GITHUB_USERNAME }}
 
-      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@develop
+      - uses: Activiti/activiti-scripts/.github/actions/wait-for-chart@000995bdf3eae49f78ff39c462226208039ef1a8 # 8.1.0
         with:
           chart-name: ${{ env.CHART_NAME }}
           version: ${{ env.VERSION }}
@@ -54,7 +54,7 @@ jobs:
     if: always() && failure() && github.event_name == 'push'
     steps:
       - name: Slack Notification
-        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@v3.2.1
+        uses: Alfresco/alfresco-build-tools/.github/actions/send-slack-notification@3741d4445541db169728841ebedb8725b51f0b45 # v3.2.1
         with:
           channel-id: 'eng-hxp-studio-releases-gh-notifs'
           token: ${{ secrets.SLACK_NOTIFICATION_BOT_TOKEN }}