diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index 951ba35..e07785a 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -48,7 +48,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7
 
       - name: Free up disk
         run: |
@@ -85,7 +87,10 @@ jobs:
 
       - name: SBOM (SPDX)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0 tag confirmed to ship on node20. The `@v0`
+        # floating tag rolls forward and will eventually pull a node24
+        # release. TODO(infra): SHA pin in a follow-up sweep.
+        uses: anchore/sbom-action@v0.17.2
         with:
           image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
           format: spdx-json
@@ -93,7 +98,8 @@ jobs:
 
       - name: Build provenance attestation
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: actions/attest-build-provenance@v2.2.3
         with:
           subject-name: ${{ env.OCI_IMAGE }}
           subject-digest: ${{ steps.bluebuild.outputs.digest }}
diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 8a5fc2e..7e14fc1 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -30,7 +30,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7
 
       - name: Free up disk
         run: |
@@ -199,7 +201,8 @@ jobs:
 
       - name: Publish to ci-latest rolling prerelease
         if: success() && github.ref == 'refs/heads/main'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
         with:
           tag_name: ci-latest
           name: "ci-latest (auto)"
@@ -233,7 +236,8 @@ jobs:
 
       - name: Attach to release on tag
         if: github.event_name == 'release'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
         with:
           files: |
             build/out/*.iso
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ee790bd..51a4bd0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,7 +12,8 @@ jobs:
     container:
       image: registry.fedoraproject.org/fedora:43
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - run: dnf -y install pykickstart
       - run: ksvalidator kickstart/veilor-os.ks
 
@@ -20,7 +21,8 @@ jobs:
     name: Shell scripts
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - uses: ludeeus/action-shellcheck@master
         with:
           severity: warning
@@ -30,7 +32,8 @@ jobs:
     name: No personal/onyx leaks
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - name: Grep for leaks
         run: |
           set -e