diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..611a097
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
+      exclude:
+        - fac/*
diff --git a/.github/workflows/bats.yml b/.github/workflows/bats.yml
index 54e5a68..90ca6e5 100644
--- a/.github/workflows/bats.yml
+++ b/.github/workflows/bats.yml
@@ -6,12 +6,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup BATS
-      uses: mig4/setup-bats@v1
+      uses: mig4/setup-bats@af9a00deb21b5d795cabfeaa8d9060410377686d # v1.2.0
       with:
         bats-version: 1.3.0
 
-    - uses: actions/checkout@v1
-    - uses: ruby/setup-ruby@v1 # .ruby-version
+    - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
+    - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
       with:
         bundler-cache: true # bundle install
 
diff --git a/.github/workflows/check-pinned-actions.yml b/.github/workflows/check-pinned-actions.yml
new file mode 100644
index 0000000..5a35d27
--- /dev/null
+++ b/.github/workflows/check-pinned-actions.yml
@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main
diff --git a/.github/workflows/freeagent-gem.yml b/.github/workflows/freeagent-gem.yml
index 53ae38b..0d784dc 100644
--- a/.github/workflows/freeagent-gem.yml
+++ b/.github/workflows/freeagent-gem.yml
@@ -12,8 +12,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - uses: ruby/setup-ruby@v1 # .ruby-version for ruby setup
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+    - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
       with:
         bundler-cache: true # bundle install and cache
 
@@ -31,13 +31,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: fac/ruby-gem-setup-credentials-action@v2
+    - uses: fac/ruby-gem-setup-credentials-action@5f62d5f2f56a11c7422a92f81fbb29af01e1c00f # v2
       with:
         token: ${{ secrets.github_token }}
 
     # Build the gem package
-    - uses: actions/checkout@v2
-    - uses: ruby/setup-ruby@v1
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+    - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
       with:
         bundler-cache: true
     - run: bundle exec rake build
@@ -45,14 +45,14 @@ jobs:
     # Release production gem version from default branch
     - name: Release
       if:   github.ref == 'refs/heads/main'
-      uses: fac/ruby-gem-push-action@v2
+      uses: fac/ruby-gem-push-action@81d77bf568ff6659d7fae0f0c5a036bb0aeacb1a # v2
       with:
         key: github
 
     # PR branch builds will release pre-release gems
     - name: Pre-Release
       if:   github.ref != 'refs/heads/main'
-      uses: fac/ruby-gem-push-action@v2
+      uses: fac/ruby-gem-push-action@81d77bf568ff6659d7fae0f0c5a036bb0aeacb1a # v2
       with:
         key: github
         pre-release: true
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 0000000..6c1a9d3
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,4 @@
+version: 3
+ignore_actions:
+  - name: fac/.*
+    ref: ^main$