diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 660c24b..370dab8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,9 +25,11 @@ jobs:
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: setup Go environment
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: "**/*.sum"
diff --git a/.github/workflows/issue_commands.yml b/.github/workflows/issue_commands.yml
index cfab551..30bf2cd 100644
--- a/.github/workflows/issue_commands.yml
+++ b/.github/workflows/issue_commands.yml
@@ -1,4 +1,6 @@
 name: Run commands when issues are labeled
+permissions: {}
+
 on:
   issues:
     types: [labeled]
@@ -7,15 +9,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
+          persist-credentials: false
           path: ./actions
           ref: main
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run Commands
         uses: ./actions/commands
+        env:
+          ISSUE_COMMANDS_TOKEN: ${{secrets.ISSUE_COMMANDS_TOKEN}}
         with:
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
+          token: ${ISSUE_COMMANDS_TOKEN}
           configPath: issue_commands