diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 2e2ac9f..44b8dea 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -12,6 +12,9 @@ defaults:
   run:
     shell: pwsh
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   update_tag:
     name: Update the rc tag to ${{ github.event.inputs.COMMIT_SHA }} commit
@@ -33,7 +36,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest
       env:
         PAT: ${{ secrets.PAT }}
         canary: true