diff --git a/.github/workflows/build-react.yaml b/.github/workflows/build-react.yaml
index 7ed87404..2fe65405 100644
--- a/.github/workflows/build-react.yaml
+++ b/.github/workflows/build-react.yaml
@@ -17,9 +17,9 @@ jobs:
         working-directory: react
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: lts/*
           registry-url: https://npm.intility.com/
diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 6bb7d151..cba4fb9c 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -16,10 +16,10 @@ jobs:
       run:
         working-directory: docusaurus
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20
           registry-url: https://npm.intility.com/
@@ -34,7 +34,7 @@ jobs:
         run: npm run build
 
       - name: Upload Build Artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: docusaurus/build
 
@@ -56,4 +56,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/publish-dotnet.yaml b/.github/workflows/publish-dotnet.yaml
index 96f1f001..4b81efbf 100644
--- a/.github/workflows/publish-dotnet.yaml
+++ b/.github/workflows/publish-dotnet.yaml
@@ -13,9 +13,9 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-dotnet@v5
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           dotnet-version: "9.0.x"
 
diff --git a/.github/workflows/test-publish-docs.yaml b/.github/workflows/test-publish-docs.yaml
index e3f5f79f..b9b9a276 100644
--- a/.github/workflows/test-publish-docs.yaml
+++ b/.github/workflows/test-publish-docs.yaml
@@ -15,10 +15,10 @@ jobs:
       run:
         working-directory: docusaurus
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20
           registry-url: https://npm.intility.com/
diff --git a/docusaurus/Dockerfile b/docusaurus/Dockerfile
deleted file mode 100644
index 644fca2b..00000000
--- a/docusaurus/Dockerfile
+++ /dev/null
@@ -1,13 +0,0 @@
-FROM node:12 AS build
-
-WORKDIR /src
-
-COPY package*.json .
-RUN npm ci
-
-COPY . .
-RUN npm run build
-
-FROM intility/nginx-unprivileged-react:1.18.2
-
-COPY --from=build /src/build /usr/share/nginx/html
diff --git a/dotnet/iwebapi/.github/workflows/build-and-push.yaml b/dotnet/iwebapi/.github/workflows/build-and-push.yaml
index 09ce7ea2..1e8af106 100644
--- a/dotnet/iwebapi/.github/workflows/build-and-push.yaml
+++ b/dotnet/iwebapi/.github/workflows/build-and-push.yaml
@@ -17,6 +17,6 @@ jobs:
       id-token: write
       packages: write
       attestations: write
-    uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@v1.2.0
+    uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@8af9348bcc7bc58e62f7e2fe4b1a46c932347ecc # v1.2.0
     with:
       docker: ${{ github.event_name != 'pull_request' }}
diff --git a/dotnet/iworker/.github/workflows/build-and-push.yaml b/dotnet/iworker/.github/workflows/build-and-push.yaml
index d0b3a23a..a75f3a5a 100644
--- a/dotnet/iworker/.github/workflows/build-and-push.yaml
+++ b/dotnet/iworker/.github/workflows/build-and-push.yaml
@@ -17,7 +17,7 @@ jobs:
       id-token: write
       packages: write
       attestations: write
-    uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@v1.2.0
+    uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@8af9348bcc7bc58e62f7e2fe4b1a46c932347ecc # v1.2.0
     with:
       directory: ./
       docker: ${{ github.event_name != 'pull_request' }}
diff --git a/react/.github/workflows/main.yaml b/react/.github/workflows/main.yaml
index cad9ce2d..58fed5d8 100644
--- a/react/.github/workflows/main.yaml
+++ b/react/.github/workflows/main.yaml
@@ -14,7 +14,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: intility/reusable-react/.github/workflows/react.yaml@v1.1.1
+    uses: intility/reusable-react/.github/workflows/react.yaml@d27705c0cb0641ffa68d59ac2d45af519528c70d # v1.1.1
     with:
       # image will be pushed to ghcr.io/intility/<project-name>/react-app
       image-name: __DOCKER_IMAGE_NAME__
diff --git a/react/.github/workflows/pull-request.yaml b/react/.github/workflows/pull-request.yaml
index ae5b6048..7cfe5b26 100644
--- a/react/.github/workflows/pull-request.yaml
+++ b/react/.github/workflows/pull-request.yaml
@@ -14,7 +14,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: intility/reusable-react/.github/workflows/react.yaml@v1.1.1
+    uses: intility/reusable-react/.github/workflows/react.yaml@d27705c0cb0641ffa68d59ac2d45af519528c70d # v1.1.1
     with:
       # image will be pushed to ghcr.io/intility/<project-name>/react-app
       image-name: __DOCKER_IMAGE_NAME__
diff --git a/react/.github/workflows/release.yaml b/react/.github/workflows/release.yaml
index deac683a..a1fefa58 100644
--- a/react/.github/workflows/release.yaml
+++ b/react/.github/workflows/release.yaml
@@ -14,7 +14,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: intility/reusable-react/.github/workflows/react.yaml@v1.1.1
+    uses: intility/reusable-react/.github/workflows/react.yaml@d27705c0cb0641ffa68d59ac2d45af519528c70d # v1.1.1
     with:
       # image will be pushed to ghcr.io/intility/<project-name>/react-app
       image-name: __DOCKER_IMAGE_NAME__
diff --git a/react/Dockerfile b/react/Dockerfile
index d4388e45..3357f27d 100644
--- a/react/Dockerfile
+++ b/react/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM node:lts-slim as build
+FROM node@sha256:d8e448a56fc63242f70026718378bd4b00f8c82e78d20eefb199224a4d8e33d8 as build # lts-slim
 WORKDIR /src
 
 # .npmrc should be pre-configured with the registry
@@ -16,7 +16,7 @@ RUN --mount=type=secret,id=NODE_AUTH_TOKEN,env=NODE_AUTH_TOKEN \
 COPY . .
 RUN npm run build
 
-FROM ghcr.io/intility/nginx-unprivileged-react:2.5.1
+FROM ghcr.io/intility/nginx-unprivileged-react@sha256:0e071176f68f689bd8b7fbdc30062af2b20f935e85c5a7daadec156c0277ea04 # 2.5.1
 
 # Copy build files
 COPY --from=build /src/dist /usr/share/nginx/html
diff --git a/react/Dockerfile.CI b/react/Dockerfile.CI
index 51900210..62a7437a 100644
--- a/react/Dockerfile.CI
+++ b/react/Dockerfile.CI
@@ -1,5 +1,5 @@
 # This Dockerfile requires running `npm run build` on the host first
-FROM ghcr.io/intility/nginx-unprivileged-react:2.5.1
+FROM ghcr.io/intility/nginx-unprivileged-react@sha256:0e071176f68f689bd8b7fbdc30062af2b20f935e85c5a7daadec156c0277ea04 # 2.5.1
 
 # Copy build files
 COPY dist/ /usr/share/nginx/html