diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
index b3d0bf074..936b1f879 100644
--- a/.github/workflows/dependency-scan.yml
+++ b/.github/workflows/dependency-scan.yml
@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Generate SBOM
-        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
+        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@d271978e893b5b9facb9f000414e9fcd62e1f78b # main
         with:
           types: 'nodejs'
 
@@ -25,6 +25,6 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Evaluate SBOM Policy
-        uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
+        uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@d271978e893b5b9facb9f000414e9fcd62e1f78b # main
         with:
           artifacts-pattern: bom-*
diff --git a/.github/workflows/server-node.yml b/.github/workflows/server-node.yml
index 85abb74a3..ad7723dc0 100644
--- a/.github/workflows/server-node.yml
+++ b/.github/workflows/server-node.yml
@@ -50,7 +50,7 @@ jobs:
           ./test-harness -url http://localhost:8000 -debug --skip-from=testharness-suppressions-fdv2.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.0.2
+      - uses: launchdarkly/gh-actions/actions/contract-tests@0b3ff8f7ffc27033ba68fe8e98cf9dd263887147 # contract-tests-v1.0.2
         with:
           test_service_port: 8000
           token: ${{ secrets.GITHUB_TOKEN }}