diff --git a/.github/scripts/check-pinned-dependencies.mjs b/.github/scripts/check-pinned-dependencies.mjs
new file mode 100644
index 00000000..c5862cff
--- /dev/null
+++ b/.github/scripts/check-pinned-dependencies.mjs
@@ -0,0 +1,26 @@
+import fs from 'node:fs';
+const pkg = JSON.parse(await fs.promises.readFile('package.json', 'utf8'));
+const errors = [];
+
+function isPinned(version) {
+  return /^\d+\.\d+\.\d+(-canary\.\d+)?$/.test(version);
+}
+
+for (const [dep, version] of Object.entries(pkg.dependencies || {})) {
+  if (!isPinned(version)) {
+    errors.push(`Dependency "${dep}" is not pinned: "${version}"`);
+  }
+}
+
+for (const [dep, version] of Object.entries(pkg.devDependencies || {})) {
+  if (!isPinned(version)) {
+    errors.push(`Dev dependency "${dep}" is not pinned: "${version}"`);
+  }
+}
+
+if (errors.length > 0) {
+  console.error(`\n${errors.join('\n')}\n`);
+  process.exit(1);
+} else {
+  console.log('All dependencies are pinned.');
+}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9102991a..370e0738 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
   pull_request:
+permissions: 
+  contents: read
+  pull-requests: read
 jobs:
   lint:
     runs-on: buildjet-4vcpu-ubuntu-2204
@@ -14,14 +17,9 @@ jobs:
       #   password: ${{ secrets.DOCKER_HUB_API_KEY || '' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
       - name: pnpm setup
-        uses: pnpm/action-setup@v4
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: "pnpm"
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda
       - name: Install packages
         run: pnpm install
       - name: Run Lint
diff --git a/.github/workflows/pin-dependencies-check.yml b/.github/workflows/pin-dependencies-check.yml
index cf1fbdfb..eb0afe49 100644
--- a/.github/workflows/pin-dependencies-check.yml
+++ b/.github/workflows/pin-dependencies-check.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
   pull_request:
+permissions: 
+  contents: read
+  pull-requests: read
 jobs:
   pin-dependencies-check:
     runs-on: buildjet-4vcpu-ubuntu-2204
@@ -14,34 +17,7 @@ jobs:
       #   password: ${{ secrets.DOCKER_HUB_API_KEY || '' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
       - name: Check for pinned dependencies
         run: |
-          node -e '
-            const fs = require("fs");
-            const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
-            const errors = [];
-
-            function isPinned(version) {
-              return /^\d+\.\d+\.\d+(-canary\.\d+)?$/.test(version);
-            }
-
-            for (const [dep, version] of Object.entries(pkg.dependencies || {})) {
-              if (!isPinned(version)) {
-                errors.push(`Dependency "${dep}" is not pinned: "${version}"`);
-              }
-            }
-
-            for (const [dep, version] of Object.entries(pkg.devDependencies || {})) {
-              if (!isPinned(version)) {
-                errors.push(`Dev dependency "${dep}" is not pinned: "${version}"`);
-              }
-            }
-
-            if (errors.length > 0) {
-              console.error(`\n${errors.join("\n")}\n`);
-              process.exit(1);
-            } else {
-              console.log("All dependencies are pinned.");
-            }
-          '
+          node .github/scripts/check-pinned-dependencies.mjs
diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
index 60d67d83..7e603060 100644
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -2,6 +2,8 @@ name: PR Title Check
 on:
   pull_request:
     types: [opened, edited, synchronize]
+permissions: 
+  pull-requests: read
 jobs:
   pr-title-check:
     runs-on: buildjet-4vcpu-ubuntu-2204
@@ -12,7 +14,7 @@ jobs:
       #   password: ${{ secrets.DOCKER_HUB_API_KEY || '' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
       - name: Run PR title check
         run: |
           node .github/scripts/pr-title-check.js
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 377952cc..5b2b8bdd 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,27 +3,24 @@ on:
   push:
     branches:
       - main
+      - canary
   pull_request:
+permissions: 
+  contents: read
+  pull-requests: read
 jobs:
   tests:
     runs-on: buildjet-4vcpu-ubuntu-2204
     container:
-      image: node:23
+      image: node:20
       # credentials:
       #   username: ${{ vars.DOCKER_HUB_USERNAME || '' }}
       #   password: ${{ secrets.DOCKER_HUB_API_KEY || '' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
       - name: pnpm setup
-        uses: pnpm/action-setup@v4
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: "pnpm"
-      - name: Install Doppler CLI
-        uses: dopplerhq/cli-action@v3
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda
       - name: Install packages
         run: pnpm install
       - name: Run Tests