diff --git a/.github/workflows/Windows-CI.yml b/.github/workflows/Windows-CI.yml
index 7a78ef6ea7..c3a7a3565a 100644
--- a/.github/workflows/Windows-CI.yml
+++ b/.github/workflows/Windows-CI.yml
@@ -35,7 +35,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
 
       - name: install-cmake
         uses: lukka/get-cmake@v3.21.2
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8bee1caa53..e34cdaf6fe 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
       with:
         fetch-depth: 2
 
diff --git a/.github/workflows/fortify-on-demand-scan.yml b/.github/workflows/fortify-on-demand-scan.yml
index 57bdccf7b9..dedc6e392c 100644
--- a/.github/workflows/fortify-on-demand-scan.yml
+++ b/.github/workflows/fortify-on-demand-scan.yml
@@ -16,7 +16,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
 
       - name: Fortify on Demand Scan
         # You may pin to the exact commit or the version.
diff --git a/.github/workflows/gh-actions-pr.yml b/.github/workflows/gh-actions-pr.yml
index e4496c71b2..8407b53b54 100644
--- a/.github/workflows/gh-actions-pr.yml
+++ b/.github/workflows/gh-actions-pr.yml
@@ -144,7 +144,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
       with:
         fetch-depth: 2
         submodules: false
diff --git a/.github/workflows/gh-actions-release.yml b/.github/workflows/gh-actions-release.yml
index 15aff93aad..b71de65b81 100644
--- a/.github/workflows/gh-actions-release.yml
+++ b/.github/workflows/gh-actions-release.yml
@@ -159,7 +159,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
       with:
         fetch-depth: 2
         submodules: false
diff --git a/.github/workflows/macos-ci.yml b/.github/workflows/macos-ci.yml
index d45fed7984..dfddaa88e1 100644
--- a/.github/workflows/macos-ci.yml
+++ b/.github/workflows/macos-ci.yml
@@ -64,7 +64,7 @@ jobs:
       run: brew install openal-soft
 
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.