diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index e45c81a..3704b64 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -210,7 +210,8 @@ jobs:
 
       - name: Install cosign
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: sigstore/cosign-installer@v3
+        # Pinned to last v3 release confirmed node20.
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Sign ISO parts (keyless)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
@@ -224,7 +225,8 @@ jobs:
 
       - name: Generate SBOM (SPDX)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0.17 release that ships node20.
+        uses: anchore/sbom-action@v0.17.2
         with:
           path: build/out
           format: spdx-json
@@ -232,7 +234,8 @@ jobs:
 
       - name: Build provenance attestation
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2.2 release that ships node20.
+        uses: actions/attest-build-provenance@v2.2.3
         with:
           subject-path: 'build/out/*.iso.part-*'