diff --git a/.github/workflows/harden-ci-security.yml b/.github/workflows/harden-ci-security.yml
new file mode 100644
index 000000000..0cd0b6016
--- /dev/null
+++ b/.github/workflows/harden-ci-security.yml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Harden CI security
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  ensure-sha-pinned-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: Ensure all actions are pinned to a specific commit
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@555a30da2656b4a7cf47b107800bef097723363e # v2.1.3
diff --git a/.github/workflows/on-push-master.yml b/.github/workflows/on-push-master.yml
index e5f9ae45f..5aa5d4f97 100644
--- a/.github/workflows/on-push-master.yml
+++ b/.github/workflows/on-push-master.yml
@@ -7,6 +7,11 @@ on:
     branches: [master]
 
 jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.ref }}
+
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:
diff --git a/.github/workflows/on-push-other-branch.yml b/.github/workflows/on-push-other-branch.yml
index c08bdbd1b..3125819ac 100644
--- a/.github/workflows/on-push-other-branch.yml
+++ b/.github/workflows/on-push-other-branch.yml
@@ -7,6 +7,11 @@ on:
     branches-ignore: [master]
 
 jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.ref }}
+
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:
diff --git a/.github/workflows/on-push-pr.yml b/.github/workflows/on-push-pr.yml
index 5a2f123fb..09c97102f 100644
--- a/.github/workflows/on-push-pr.yml
+++ b/.github/workflows/on-push-pr.yml
@@ -6,6 +6,11 @@ on:
   pull_request:
 
 jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+
   run-tests-for-pr:
     uses: ./.github/workflows/run-tests.yml
     with: