diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
index 95c34d18..4e684bde 100644
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -18,8 +18,8 @@ jobs:
           - { name: "lowest", python: "3.10", tox: py310-lowest }
           - { name: "dev", python: "3.14", tox: py314-marshmallowdev }
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python }}
       - run: python -m pip install tox
@@ -28,8 +28,8 @@ jobs:
     name: Build package
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.14"
       - name: Install pypa/build
@@ -41,7 +41,7 @@ jobs:
       - name: Check build
         run: python -m twine check --strict dist/*
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: python-package-distributions
           path: dist/
@@ -51,8 +51,8 @@ jobs:
     if: startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.14"
       - run: python -m pip install tox
@@ -69,9 +69,9 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: python-package-distributions
           path: dist/
       - name: Publish distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
diff --git a/pyproject.toml b/pyproject.toml
index aca18300..5fe70d6b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -85,7 +85,7 @@ test-pyramid = [
     # pyramid uses pkg_resources, which has been long deprecated and finally removed
     #
     # see https://github.com/Pylons/pyramid/issues/3731 for discussion within pyramid
-    "setuptools < 82.0"
+    "setuptools <82.0"
 ]
 test-falcon = ["falcon>=4.1.0", {include-group = "tests"}]
 test-aiohttp = ["aiohttp>=3.13.0", {include-group = "tests"}]