diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 1005bef..eb6081d 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -22,9 +22,9 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.13"
           cache: pip
@@ -39,11 +39,11 @@ jobs:
   release:
     name: Release
     needs: [test]
-    # Only run on direct pushes to main (not on pull requests)
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     permissions:
       attestations: write
+      artifact-metadata: write
       contents: write
       id-token: write
       issues: write
@@ -52,13 +52,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Semantic Release
         id: semantic
-        uses: cycjimmy/semantic-release-action@v6
+        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
         with:
           tag_format: 'v${version}'
           extra_plugins: |
@@ -70,13 +70,13 @@ jobs:
       - name: Set Docker metadata
         id: meta
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: |
             ${{ env.DOCKERHUB_USER }}/${{ env.DOCKERHUB_REPO }}
             ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_REPO }}
           labels: |
-            org.opencontainers.image.maintainer=amartingarcia,ialejandro'
+            org.opencontainers.image.maintainer='amartingarcia,ialejandro'
             org.opencontainers.image.title='PR Generator'
             org.opencontainers.image.description='PR Generator to automate pull request management'
             org.opencontainers.image.vendor='devops-ia'
@@ -85,15 +85,15 @@ jobs:
 
       - name: Set up QEMU
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Set up Docker Buildx
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Cache Docker layers
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -102,14 +102,14 @@ jobs:
 
       - name: "[DOCKERHUB] Log in"
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: "[GHCR] Log in"
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -118,7 +118,7 @@ jobs:
       - name: Build and push Docker image
         id: push
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
@@ -131,7 +131,7 @@ jobs:
 
       - name: "[DOCKERHUB] Update registry description"
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: peter-evans/dockerhub-description@v5
+        uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
@@ -139,7 +139,7 @@ jobs:
 
       - name: "[GHCR] Generate artifact attestation"
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: actions/attest-build-provenance@v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_REPO }}
           subject-digest: ${{ steps.push.outputs.digest }}