diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b979a3121ba..2eb0c061fb1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,12 +24,12 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144 # v1 on 2025-04-02, TODO: consider using a release
         with:
           languages: python
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144 # v1 on 2025-04-02, TODO: consider using a release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
\ No newline at end of file
+        uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144 # v1 on 2025-04-02, TODO: consider using a release
\ No newline at end of file
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 732d78aeb55..e24733e8279 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -61,7 +61,7 @@ jobs:
           && echo "::set-output name=json_plaintext::$(cat output.json)"
       - name: Report on benchmark results
         if: steps.find_and_merge_benchmarks.outputs.json_plaintext != 'null'
-        uses: rhysd/github-action-benchmark@v1
+        uses: rhysd/github-action-benchmark@fd31771ce86cc65eab85653da103f71ab1b4479c # v1.9.0
         with:
           name: OpenTelemetry Python Benchmarks - Python ${{ env[matrix.python-version ]}} - ${{ matrix.package }}
           tool: pytest