diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml
index b2e8095984..71f49e618a 100644
--- a/.github/workflows/autobuild.yml
+++ b/.github/workflows/autobuild.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Set workspace as safe
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Generate build matrix
@@ -54,7 +54,7 @@ jobs:
       image: ghcr.io/terrapkg/appstream-generator:main
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           merge-multiple: true
           path: ./artifacts
diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml
index c5e4e212fa..d94fc65b79 100644
--- a/.github/workflows/bootstrap.yml
+++ b/.github/workflows/bootstrap.yml
@@ -24,7 +24,7 @@ jobs:
           dnf5 swap -y --setopt=install_weak_deps=False systemd-standalone-sysusers systemd
           dnf5 install -y --setopt=install_weak_deps=False curl wget git-core openssl-devel cargo podman fuse-overlayfs dnf5-plugins rpmbuild script
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: f${{ matrix.version }}
           fetch-depth: 1
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4831269c68..e742693cde 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -32,7 +32,7 @@ jobs:
       options: --cap-add=SYS_ADMIN --privileged
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Setup Git
diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml
index 0cfc047d63..f34c3dd24a 100644
--- a/.github/workflows/json-build.yml
+++ b/.github/workflows/json-build.yml
@@ -46,7 +46,7 @@ jobs:
       options: --cap-add=SYS_ADMIN --privileged
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -56,7 +56,7 @@ jobs:
       - name: Configure sccache
         id: sccache
         if: ${{ !contains(matrix.pkg.labels.sccache, '0') }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           SCCACHE_GHA_VERSION: ${{ matrix.version }}-${{ matrix.pkg.arch }}-${{ matrix.pkg.pkg }}
           SCCACHE_GHA_CACHE_FROM: ${{ matrix.version }}-${{ matrix.pkg.arch }}-${{ matrix.pkg.pkg }}
@@ -84,7 +84,7 @@ jobs:
 
       - name: Report Cache Summary
         if: steps.sccache.outcome == 'success'
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const script = require('./.github/scripts/sccache-stats.js')
@@ -97,7 +97,7 @@ jobs:
           x=${NAME//\//@}
           echo "name=$x" >> $GITHUB_OUTPUT
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ steps.art.outputs.name }}
           compression-level: 0 # The RPMs are already compressed :p
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index b6ffed0932..b51cce456a 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -1,13 +1,15 @@
 name: Automatic backport/sync action
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 on:
   pull_request_target:
     types: ["labeled", "closed"]
 
 jobs:
   backport:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Backport/sync PR
     runs-on: ubuntu-22.04
     if: github.event.pull_request.merged
diff --git a/.github/workflows/update-branch.yml b/.github/workflows/update-branch.yml
index 3b747eb77b..b63f895d06 100644
--- a/.github/workflows/update-branch.yml
+++ b/.github/workflows/update-branch.yml
@@ -1,6 +1,6 @@
 name: Update per branch
 permissions:
-  contents: write
+  contents: read
 on:
   schedule:
     - cron: "*/30 * * * *"
@@ -8,6 +8,8 @@ on:
 
 jobs:
   autoupdate:
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -22,7 +24,7 @@ jobs:
       options: --cap-add=SYS_ADMIN --privileged
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ matrix.branch }}
           fetch-depth: 0
diff --git a/.github/workflows/update-comps.yml b/.github/workflows/update-comps.yml
index 73348ff6b1..3ff3a2f96d 100644
--- a/.github/workflows/update-comps.yml
+++ b/.github/workflows/update-comps.yml
@@ -6,6 +6,8 @@ on:
   push:
     branches:
       - frawhide
+      - f44
+      - f43
       - f42
       - el10
     paths:
@@ -18,7 +20,7 @@ jobs:
     container:
       image: ghcr.io/terrapkg/builder:f42
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Push to subatomic
         run: |
           branch=${{ github.ref_name }}
diff --git a/.github/workflows/update-nightly.yml b/.github/workflows/update-nightly.yml
index 0856ef4ba2..ef7cfa2d0c 100644
--- a/.github/workflows/update-nightly.yml
+++ b/.github/workflows/update-nightly.yml
@@ -1,6 +1,6 @@
 name: Nightly Update
 permissions:
-  contents: write
+  contents: read
 on:
   schedule:
     - cron: "0 0 * * *"
@@ -8,13 +8,14 @@ on:
 
 jobs:
   autoupdate:
+    contents: write
     runs-on: ubuntu-22.04
     container:
       image: ghcr.io/terrapkg/builder:frawhide
       options: --cap-add=SYS_ADMIN --privileged
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }}
diff --git a/.github/workflows/update-weekly.yml b/.github/workflows/update-weekly.yml
index d26ea27b99..6614229bae 100644
--- a/.github/workflows/update-weekly.yml
+++ b/.github/workflows/update-weekly.yml
@@ -1,6 +1,6 @@
 name: Weekly Update
 permissions:
-  contents: write
+  contents: read
 on:
   schedule:
     - cron: "0 0 * * *"
@@ -8,13 +8,15 @@ on:
 
 jobs:
   autoupdate:
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     container:
       image: ghcr.io/terrapkg/builder:frawhide
       options: --cap-add=SYS_ADMIN --privileged
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }}
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index f4c49641dc..806ad6431a 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -1,6 +1,6 @@
 name: Update
 permissions:
-  contents: write
+  contents: read
 on:
   schedule:
     - cron: "*/10 * * * *"
@@ -8,13 +8,15 @@ on:
 
 jobs:
   autoupdate:
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     container:
       image: ghcr.io/terrapkg/builder:frawhide
       options: --cap-add=SYS_ADMIN --privileged
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }}