diff --git a/.github/workflows/native-core-build.yml b/.github/workflows/native-core-build.yml
index 3d7e2f5..13272c3 100644
--- a/.github/workflows/native-core-build.yml
+++ b/.github/workflows/native-core-build.yml
@@ -30,7 +30,7 @@ jobs:
         uses: astral-sh/setup-uv@v7
 
       - name: Setup Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
 
       - name: Install protobuf compiler
         run: |
diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
index 9e576d9..94ed8bb 100644
--- a/.github/workflows/release-python.yml
+++ b/.github/workflows/release-python.yml
@@ -494,7 +494,7 @@ jobs:
           path: dist
           merge-multiple: true
       - name: Publish via PyPI Trusted Publisher
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         # No `with: password:` — Trusted Publisher uses OIDC, no token stored.
         with:
           # PEP 740: mint a Sigstore-backed digital attestation for every