diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index fc4ff15..7fe8d65 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -6,11 +6,24 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # actions/checkout v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Ensure workflow actions are pinned
+        run: |
+          refs="$(grep -RhoE 'uses:[[:space:]]+[^[:space:]]+@[^[:space:]]+' .github/workflows || true)"
+          bad_refs="$(printf '%s\n' "$refs" | awk -F@ 'NF > 1 && $2 !~ /^[0-9a-f]{40}$/ {print}')"
+          if [ -n "$bad_refs" ]; then
+            printf 'Mutable GitHub Actions refs are forbidden:\n%s\n' "$bad_refs"
+            exit 1
+          fi
 
       - name: Check required files exist
         run: |
@@ -30,7 +43,8 @@ jobs:
           fi
 
       - name: Validate markdown links
-        uses: gaurav-nelson/github-action-markdown-link-check@v1
+        # gaurav-nelson/github-action-markdown-link-check v1
+        uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368
         with:
           use-quiet-mode: yes
           check-modified-files-only: no