diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c4c3b07..6ac9a0b8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,10 +22,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
         with:
           go-version-file: go.mod
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8f45f964..a7bda231 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
       valid_tag: ${{ steps.set_standard_vars.outputs.valid_tag }}
       rc: ${{ steps.set_standard_vars.outputs.rc }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: set outputs with default values
         id: set_standard_vars
         run: |
diff --git a/pkg/def/validate.go b/pkg/def/validate.go
index d68e264d..37f7c8c7 100644
--- a/pkg/def/validate.go
+++ b/pkg/def/validate.go
@@ -27,6 +27,7 @@ func validate[T any](definition T, schemaName string) error {
 		return fmt.Errorf("failed to marshal definition: %w", err)
 	}
 
+	// nosemgrep: go-unsafe-deserialization-interface
 	var v interface{}
 	if unmarshalErr := json.Unmarshal(data, &v); unmarshalErr != nil {
 		return fmt.Errorf("failed to unmarshal definition: %w", err)