diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..e09c093
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2017-2024 Contributors to the OpenSTEF project <openstef@lfenergy.org>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+# Require maintainer review for CI/CD configuration changes
+/.github/ @OpenSTEF/maintainers
diff --git a/.github/workflows/black-format-code.yml b/.github/workflows/black-format-code.yml
index b3de1dc..885f045 100644
--- a/.github/workflows/black-format-code.yml
+++ b/.github/workflows/black-format-code.yml
@@ -30,14 +30,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Check formatting using black
-        uses: rickstaa/action-black@v1
+        uses: rickstaa/action-black@d86849e16a3c498947d70be55198feb86d5d4f53 # v1
         id: action_black
         with:
           black_args: "."
       - name: Annotate diff changes using reviewdog
         if: steps.action_black.outputs.is_formatted == 'true'
-        uses: reviewdog/action-suggester@v1
+        uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1
         with:
           tool_name: blackfmt
diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml
index 7412f27..7aa7c2f 100644
--- a/.github/workflows/pr-labeler.yaml
+++ b/.github/workflows/pr-labeler.yaml
@@ -14,7 +14,7 @@ jobs:
         pull-requests: write # To add labels
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@v5
+      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:
diff --git a/.github/workflows/python-build.yaml b/.github/workflows/python-build.yaml
index fb3249b..8cc4c57 100644
--- a/.github/workflows/python-build.yaml
+++ b/.github/workflows/python-build.yaml
@@ -9,6 +9,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
         
     container: python:3.13-bookworm
     # Service containers to run with `container-job`
@@ -36,17 +38,17 @@ jobs:
     steps:
     # Checkout
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         fetch-depth: 0
     # Setup
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: ${{ matrix.python-version }}
     # Restore
     - name: Restore pip cache
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         # This path is specific to Ubuntu
         path: ~/.cache/pip
diff --git a/.github/workflows/python-upload-package.yml b/.github/workflows/python-upload-package.yml
index 19b05d8..2e69c08 100644
--- a/.github/workflows/python-upload-package.yml
+++ b/.github/workflows/python-upload-package.yml
@@ -18,10 +18,10 @@ jobs:
     steps:
     # Checkout
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     # Setup
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.x'
     # Install (packaging) dependencies
@@ -33,4 +33,4 @@ jobs:
     - name: Build
       run: python setup.py sdist bdist_wheel
     - name: Publish
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
index 6146042..cb5330b 100644
--- a/.github/workflows/release-drafter.yaml
+++ b/.github/workflows/release-drafter.yaml
@@ -17,6 +17,9 @@ on:
 
 jobs:
   update_release_draft:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # (Optional) GitHub Enterprise requires GHE_HOST variable set
@@ -25,7 +28,7 @@ jobs:
       #    echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
 
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5
         # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
         # with:
         #   config-name: my-config.yml
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
index ce74612..69c5116 100644
--- a/.github/workflows/reuse-compliance.yml
+++ b/.github/workflows/reuse-compliance.yml
@@ -9,10 +9,12 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     # Checkout
     - name: checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     # Reuse
     - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@v1
+      uses: fsfe/reuse-action@28cf8f33bc50f4c306f52e38fe3826717dea63dc # v1