diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 25aa1e5..3cb19de 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -19,13 +19,13 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: step-security/harden-runner@v1
+    - uses: step-security/harden-runner@14dc64f30986eaa2ad2dddcec073f5aab18e5a24 # v1
       with:
         allowed-endpoints: 
           api.github.com:443
           github.com:443
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
     - name: Update the rc tag
       uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:
@@ -33,7 +33,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int@sha256:f1f95204dc1f12a41eaf41080185e2d289596b3e7637a8c50a3f6fbe17f99649
       env:
         PAT: ${{ secrets.PAT }}
-        canary: true
\ No newline at end of file
+        canary: true