diff --git a/.github/workflows/README.rst b/.github/workflows/README.rst
new file mode 100644
index 0000000000..e2317713bd
--- /dev/null
+++ b/.github/workflows/README.rst
@@ -0,0 +1,12 @@
+Vega Strike Git Hub Actions Guidance
+====================================
+
+VS will allow many actions that are beneficial to the project.
+We also apply the OSSF Score Card to our projects.
+
+To help with reliability of the GH Actions they should be tagged
+against the associated release SHA Hash instead of Git Tag.
+
+References
+----------
+- https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
diff --git a/.github/workflows/Windows-CI.yml b/.github/workflows/Windows-CI.yml
index 7e4e0023bf..59234d583f 100644
--- a/.github/workflows/Windows-CI.yml
+++ b/.github/workflows/Windows-CI.yml
@@ -155,7 +155,7 @@ jobs:
         run: .\script\test.ps1 -Generator ${{ matrix.cmake-generator }} -EnablePIE ${{ matrix.enable-pie }} -BuildType ${{ matrix.build-type }}
 
       - name: Upload test results
-        uses: actions/upload-artifact@v3.1.3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: failure()
         with:
           name: test_results_xml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8cb2d7650f..93f69e69fe 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           fetch-depth: 2
 
@@ -33,7 +33,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
         with:
           languages: ${{ matrix.language }}
           tools: codeql-bundle.tar.gz
@@ -44,6 +44,6 @@ jobs:
           script/build
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
         with:
           tools: codeql-bundle.tar.gz
diff --git a/.github/workflows/fortify-on-demand-scan.yml b/.github/workflows/fortify-on-demand-scan.yml
index 545b314035..c0a5371990 100644
--- a/.github/workflows/fortify-on-demand-scan.yml
+++ b/.github/workflows/fortify-on-demand-scan.yml
@@ -16,12 +16,11 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
 
       - name: Fortify on Demand Scan
         # You may pin to the exact commit or the version.
-        # uses: fortify/gha-setup-fod-uploader@636f3c3a14aec1747eec5242a02c6349e4f3cce6
-        uses: fortify/gha-setup-fod-uploader@v1.0.1
+        uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d #v1.1.3
         with:
           # FoDUploader version to use
           version: latest
diff --git a/.github/workflows/gh-actions-pr.yml b/.github/workflows/gh-actions-pr.yml
index fd3ebea93f..8a4b3e640e 100644
--- a/.github/workflows/gh-actions-pr.yml
+++ b/.github/workflows/gh-actions-pr.yml
@@ -329,7 +329,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           fetch-depth: 2
           submodules: false
@@ -365,7 +365,7 @@ jobs:
       #   run: ctest -V
 
       - name: Upload test results
-        uses: actions/upload-artifact@v3.1.3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: failure()
         with:
           name: test_results_xml
diff --git a/.github/workflows/gh-actions-release.yml b/.github/workflows/gh-actions-release.yml
index d255376ca3..2b8dc7cfa5 100644
--- a/.github/workflows/gh-actions-release.yml
+++ b/.github/workflows/gh-actions-release.yml
@@ -160,7 +160,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           fetch-depth: 2
           submodules: false
@@ -183,7 +183,7 @@ jobs:
           IS_RELEASE: 1
         run: script/cibuild $FLAGS
       - name: Upload the artifacts
-        uses: skx/github-action-publish-binaries@master
+        uses: skx/github-action-publish-binaries@44887b225ceca96efd8a912d39c09ad70312af31 # master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ARTIFACT_EXT: ${{ matrix.ARTIFACT_EXT }}
diff --git a/.github/workflows/macos-ci.yml b/.github/workflows/macos-ci.yml
index 746d0f9367..81f367ff3b 100644
--- a/.github/workflows/macos-ci.yml
+++ b/.github/workflows/macos-ci.yml
@@ -66,7 +66,7 @@ jobs:
         run: brew install openal-soft
 
       - name: Check out repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           fetch-depth: 2
           submodules: false
@@ -92,7 +92,7 @@ jobs:
         run: ctest -V
 
       - name: Upload test results
-        uses: actions/upload-artifact@v3.1.3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: failure()
         with:
           name: test_results_xml
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
index 537c01a657..08880a397b 100644
--- a/.github/workflows/scorecards-analysis.yml
+++ b/.github/workflows/scorecards-analysis.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: "Check out code"
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           persist-credentials: false
 
@@ -34,7 +34,7 @@ jobs:
            gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz'
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.3.1
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -49,7 +49,7 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v3.1.3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
@@ -57,7 +57,7 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
         with:
           sarif_file: results.sarif
           tools: codeql-bundle.tar.gz