diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cb15ac9..d7b5a08 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ env:
   CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
   CARGO_INCREMENTAL: 0
   CARGO_TERM_COLOR: always
+permissions:
+  contents: read
+
 jobs:
   ci:
     name: ${{ matrix.os }}
@@ -16,29 +19,29 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
         with:
           fetch-depth: 0
 
-      - uses: actions-rs/toolchain@v1
+      - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         if: ${{ matrix.os == 'windows-latest' }}
         with:
           toolchain: stable
           components: rustfmt, clippy
           profile: minimal
           override: true
-      - uses: cachix/install-nix-action@v16
+      - uses: cachix/install-nix-action@d56f3ce9be45c562799280e8a561fbbe8f36de44 # v16
         if: ${{ matrix.os != 'windows-latest' }}
         with:
           nix_path: nixpkgs=channel:nixos-unstable
-      - uses: cachix/cachix-action@v10
+      - uses: cachix/cachix-action@73e75d1a0cd4330597a571e8f9dedb41faa2fc4e # v10
         if: ${{ matrix.os != 'windows-latest' && env.CACHIX_AUTH_TOKEN != '' }}
         with:
           authToken: ${{ env.CACHIX_AUTH_TOKEN }}
           name: zoxide
 
       - name: Setup cache
-        uses: Swatinem/rust-cache@v1
+        uses: Swatinem/rust-cache@81d053bdb0871dcd3f10763c8cc60d0adc41762b # v1
         with:
           key: ${{ matrix.target }}
 
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
index b73a46c..8b1b5c3 100644
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -11,7 +11,7 @@ jobs:
     if: github.repository == 'ajeetdsouza/zoxide'
     runs-on: ubuntu-latest
     steps:
-      - uses: lee-dohm/no-response@v0.5.0
+      - uses: lee-dohm/no-response@9bb0a4b5e6a45046f00353d5de7d90fb8bd773bb # v0.5.0
         with:
           token: ${{ github.token }}
           daysUntilClose: 30
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8d0accf..4131efb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,11 +6,12 @@ on:
   workflow_dispatch:
 env:
   CARGO_INCREMENTAL: 0
+permissions:
+  contents: write
+
 jobs:
   release:
     name: ${{ matrix.target }}
-    permissions:
-      contents: write
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -38,19 +39,19 @@ jobs:
             target: aarch64-pc-windows-msvc
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
         with:
           fetch-depth: 0
 
       - name: Get version
         id: get_version
-        uses: SebRollen/toml-action@v1.0.2
+        uses: SebRollen/toml-action@2bd04b06a3ebc3e6a3eb6060de115710cad16cd6 # v1.0.2
         with:
           file: Cargo.toml
           field: package.version
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           toolchain: stable
           profile: minimal
@@ -58,12 +59,12 @@ jobs:
           target: ${{ matrix.target }}
 
       - name: Setup cache
-        uses: Swatinem/rust-cache@v1
+        uses: Swatinem/rust-cache@81d053bdb0871dcd3f10763c8cc60d0adc41762b # v1
         with:
           key: ${{ matrix.target }}
 
       - name: Build binary
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
         with:
           command: build
           args: --release --locked --target=${{ matrix.target }} --color=always --verbose
@@ -71,13 +72,13 @@ jobs:
 
       - name: Install cargo-deb
         if: ${{ matrix.deb == true }}
-        uses: actions-rs/install@v0.1
+        uses: actions-rs/install@9da1d2adcfe5e7c16992e8242ca33a56b6d9b101 # v0.1.2
         with:
           crate: cargo-deb
 
       - name: Build deb
         if: ${{ matrix.deb == true }}
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
         with:
           command: deb
           args: --no-build --no-strip --output=. --target=${{ matrix.target }}
@@ -102,7 +103,7 @@ jobs:
           ./target/${{ matrix.target }}/release/zoxide.exe
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
         with:
           name: ${{ matrix.target }}
           path: |
@@ -112,7 +113,7 @@ jobs:
 
       - name: Create release
         if: ${{ github.ref == 'refs/heads/main' && startsWith(github.event.head_commit.message, 'chore(release)') }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           files: |