diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b8d1175..3914c54 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -2,6 +2,9 @@
 
 name: Publish to PyPI
 on: push
+permissions:
+  contents: read
+
 jobs:
 
   build:
@@ -44,7 +47,7 @@ jobs:
         name: python-package-distributions
         path: dist/
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # release/v1
 
   github-release:
     name: Sign and upload GitHub Release
@@ -63,7 +66,7 @@ jobs:
         name: python-package-distributions
         path: dist/
     - name: Sign with Sigstore
-      uses: sigstore/gh-action-sigstore-python@v2.1.1
+      uses: sigstore/gh-action-sigstore-python@1f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1
       with:
         inputs: >-
           ./dist/*.tar.gz
@@ -107,8 +110,8 @@ jobs:
 #        name: python-package-distributions
 #        path: dist/
 #    - name: Publish distribution to TestPyPI
-#      uses: pypa/gh-action-pypi-publish@release/v1
+#      uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # release/v1
 #      with:
 #        verbose: true
 #        print-hash: true
-#        repository-url: https://test.pypi.org/legacy/
\ No newline at end of file
+#        repository-url: https://test.pypi.org/legacy/