diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index bd649f3..630d8b7 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -12,7 +12,7 @@ jobs:
     timeout-minutes: 4
     if: "!contains(github.event.head_commit.message, 'update changelog')"
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d7b22ce..cb8f717 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
 
       # Initialize the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/cpp.yml b/.github/workflows/cpp.yml
index 8bc9534..6bca992 100644
--- a/.github/workflows/cpp.yml
+++ b/.github/workflows/cpp.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: macos-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: build
         run: |
           clang++ -std=c++2a --verbose -Wall -Wextra -pedantic -g \
diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml
index 8ec6a47..83d1de5 100644
--- a/.github/workflows/flawfinder.yml
+++ b/.github/workflows/flawfinder.yml
@@ -25,7 +25,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
 
       - name: flawfinder_scan
         uses: david-a-wheeler/flawfinder@2.0.19
diff --git a/.github/workflows/jsonlint.yml b/.github/workflows/jsonlint.yml
index b00cbf3..c632ad7 100644
--- a/.github/workflows/jsonlint.yml
+++ b/.github/workflows/jsonlint.yml
@@ -11,7 +11,7 @@ jobs:
     name: Format JSON files and create a pull request
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Install linter
         run: |
           command sudo npm install \
diff --git a/.github/workflows/shellcheck-markdown.yml b/.github/workflows/shellcheck-markdown.yml
index db98083..b42ba2e 100644
--- a/.github/workflows/shellcheck-markdown.yml
+++ b/.github/workflows/shellcheck-markdown.yml
@@ -17,7 +17,7 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Run shellcheck
         run: |
           # test shell syntax of Markdown code snippets
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index c5c24b6..8f4e75f 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -35,7 +35,7 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           # linter requires full repository history
           fetch-depth: 0