diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6d445f..069d2af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ defaults:
   run:
     shell: pwsh
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   update_tag:
     name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
@@ -28,7 +31,7 @@ jobs:
           api.github.com:443
           github.com:443
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
     - name: Update the rc tag
       uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:
@@ -36,7 +39,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest
       env:
         PAT: ${{ secrets.PAT }}
         canary: true