diff --git a/.github/workflows/docs_deploy.yml b/.github/workflows/docs_deploy.yml
index cde7ce5e5..5057789f8 100644
--- a/.github/workflows/docs_deploy.yml
+++ b/.github/workflows/docs_deploy.yml
@@ -24,7 +24,7 @@ jobs:
       run:
         working-directory: ./docs
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017
         with:
           sparse-checkout: |
             docs
@@ -35,7 +35,7 @@ jobs:
           # Install Syft
           wget --no-verbose https://raw.githubusercontent.com/anchore/syft/main/install.sh -O - | sh -s -- -b /usr/local/bin
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@c2ac33f2c62f978d6c944d9648125a294e56dc0b
         with:
           node-version: 18
 
@@ -51,12 +51,24 @@ jobs:
       - name: Generate reports
         run: |
           mkdir -p reports
-          syft packages . -o cyclonedx-json --file reports/sbom.cyclonedx.json
-          syft packages . -o spdx-json --file reports/sbom.spdx.json
           tar -czf reports/build.tar.gz build
+
+      - uses: anchore/sbom-action@a5afbb185c4d9799c758f05e496032af75ae9128
+        with:
+          path: .
+          format: cyclonedx-json
+          upload-artifact: false
+          output-file: docs/reports/sbom.cyclonedx.json
+
+      - uses: anchore/sbom-action@a5afbb185c4d9799c758f05e496032af75ae9128
+        with:
+          path: .
+          format: spdx-json
+          upload-artifact: false
+          output-file: docs/reports/sbom.spdx.json
   
       # Upload artifacts so they are shared with the chainloop job
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@ef09cdac3e2d3e60d8ccadda691f4f1cec5035cb
         with:
           name: reports
           path: docs/reports/*