diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index 70f371c958..f8af05caf6 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,23 +1,20 @@
 name: FOSSA
+
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
-permissions: read-all
-
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-
       - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ~1.19.4
-
       - name: run FOSSA analysis
         env:
           # FOSSA Push-Only API Token
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
index e8bed889a0..1406daae5f 100644
--- a/.github/workflows/helm-test.yaml
+++ b/.github/workflows/helm-test.yaml
@@ -1,4 +1,5 @@
 name: helm-test
+
 on:
   pull_request:
     branches:
@@ -8,8 +9,6 @@ on:
       - charts/**
       - .github/workflows/helm-test.yaml
 
-permissions: read-all
-
 jobs:
   helm-tests:
     runs-on: ubuntu-latest
@@ -17,15 +16,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
         with:
-          fetch-depth: "0"
-
+          fetch-depth: 0
       - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912 # v4.4.0
         with:
           python-version: 3.7
-
       - name: Set up chart-testing
         uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1
-
       - name: Run chart-testing (lint)
         run: |
           if [[ $(ct list-changed --target-branch=main) ]];
diff --git a/.github/workflows/nancy.yaml b/.github/workflows/nancy.yaml
index 415013c9a9..2dd356b242 100644
--- a/.github/workflows/nancy.yaml
+++ b/.github/workflows/nancy.yaml
@@ -16,4 +16,4 @@ jobs:
       - name: WriteGoList
         run: go list -json -m all > go.list
       - name: Nancy SAST Scan
-        uses: sonatype-nexus-community/nancy-github-action@aae196481b961d446f4bff9012e4e3b63d7921a4 # pin@main
+        uses: sonatype-nexus-community/nancy-github-action@aae196481b961d446f4bff9012e4e3b63d7921a4 # v1.0.2
diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml
index 1aedaae2d1..1cbd0c40ea 100644
--- a/.github/workflows/sonarcloud.yaml
+++ b/.github/workflows/sonarcloud.yaml
@@ -12,10 +12,9 @@ jobs:
     steps:
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
         with:
-          # Disabling shallow clone is recommended for improving relevancy of reporting
           fetch-depth: 0
       - name: SonarCloud Scan
-        uses: sonarsource/sonarcloud-github-action@cb201f3b2d7a38231a8c042dfea4539c8bea180b # pin@master
+        uses: sonarsource/sonarcloud-github-action@cb201f3b2d7a38231a8c042dfea4539c8bea180b # v1.8
         env:
           GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}