diff --git a/.github/workflows/lint-collection.yml b/.github/workflows/lint-collection.yml
index d6c9bbe..2c43657 100644
--- a/.github/workflows/lint-collection.yml
+++ b/.github/workflows/lint-collection.yml
@@ -24,9 +24,9 @@ jobs:
             python: "3.12"
     steps:
       # Checks-out the repository under $GITHUB_WORKSPACE, so it's accessible to the job
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python }}
 
@@ -53,17 +53,17 @@ jobs:
 
     steps:
       # Checks-out the repository under $GITHUB_WORKSPACE, so it's accessible to the job
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: repo
 
       # Checkout utility scripts
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: stackhpc/.github
           path: stackhpc-github
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python }}
 
diff --git a/.github/workflows/publish-collection.yml b/.github/workflows/publish-collection.yml
index fbad9a1..adfd88c 100644
--- a/.github/workflows/publish-collection.yml
+++ b/.github/workflows/publish-collection.yml
@@ -14,7 +14,7 @@ jobs:
         run: echo "You must trigger this workflow on a git tag" && exit -1
         if: github.ref_type != 'tag'
       - name: Github Checkout 🛎
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check git tag matches version in galaxy.yml
         run: echo "${{ github.ref_name }}" | grep $(yq -r .version < galaxy.yml)
       - name: Build Collection 🛠
diff --git a/.github/workflows/tag-and-release.yml b/.github/workflows/tag-and-release.yml
index 955e39f..c0ceaaa 100644
--- a/.github/workflows/tag-and-release.yml
+++ b/.github/workflows/tag-and-release.yml
@@ -20,7 +20,7 @@ jobs:
       # cancelled. This makes sense for a deployment, but not for a tagging
       # workflow.
       - name: Serialise runs of this workflow
-        uses: softprops/turnstyle@ca99add00ff0c9cbc697d22631d2992f377e5bd5
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v3.2.3
         with:
           continue-after-seconds: 180
           poll-interval-seconds: 30
@@ -35,7 +35,7 @@ jobs:
     needs: [turnstyle]
     steps:
       - name: Github checkout 🛎 [${{ github.repository }}]
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Configure repository 🛠
@@ -51,7 +51,7 @@ jobs:
           git fetch origin &&
           git push stackhpc --follow-tags
       - name: Github checkout 🛎 [${{ env.naming-things-is-hard-repository }}]
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ${{ env.naming-things-is-hard-repository }}
           path: naming-things-is-hard
@@ -63,7 +63,7 @@ jobs:
     name: Release newly generated tag 🏷
     steps:
       - name: Github checkout 🛎 [${{ github.repository }}]
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Get tag 🏷
@@ -72,9 +72,19 @@ jobs:
       - name: Generate release notes 📝
         run: git log --pretty="%h %s" $(git describe --tags --abbrev=0)...$(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^) > changelog.txt
       - name: Publish release 🚀
-        uses: softprops/action-gh-release@d4e8205d7e959a9107da6396278b2f1f07af0f9b
-        with:
-          tag_name: ${{ steps.commit-tag.outputs.value }}
-          body_path: ${{ github.workspace }}/changelog.txt
-          files: |
-            LICENSE
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG_NAME="${{ steps.commit-tag.outputs.value }}"
+          
+          # Fail if release already exists
+          if gh release view "$TAG_NAME" > /dev/null 2>&1; then
+            echo "Release for $TAG_NAME already exists. Releases are immutable."
+            exit 1
+          else
+            echo "Creating release for $TAG_NAME"
+            gh release create "$TAG_NAME" \
+              --title "$TAG_NAME" \
+              --notes-file changelog.txt \
+              LICENSE
+          fi
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
index 95f955b..64d719b 100644
--- a/.github/workflows/tox.yml
+++ b/.github/workflows/tox.yml
@@ -99,9 +99,9 @@ jobs:
       name: Tox ${{ matrix.environment }} with Python 3.${{ matrix.python-minor-version }}
       steps:
         - name: Github Checkout 🛎
-          uses: actions/checkout@v4
+          uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         - name: Setup Python 3.${{ matrix.python-minor-version }} 🐍
-          uses: actions/setup-python@v5
+          uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
           with:
             python-version: 3.${{ matrix.python-minor-version }}
         - name: Install bindep 📦