diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 100a980c..3e4ba8a8 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -5,7 +5,7 @@ jobs:
       env:
         LOG_LEVEL: debug
         RENOVATE_BRANCH_PREFIX: renovate-github/
-        RENOVATE_ENABLED_MANAGERS: '["pep621", "github-actions"]'
+        RENOVATE_ENABLED_MANAGERS: '["pep621", "github-actions", "gitlabci"]'
         RENOVATE_GIT_AUTHOR: Renovate GitHub Bot <github@renovatebot.com>
         RENOVATE_OPTIMIZE_FOR_DISABLED: 'true'
         RENOVATE_PLATFORM: github
diff --git a/.gitlab/workflows/commitlint.yml b/.gitlab/workflows/commitlint.yml
index 1539bb2d..9b8b9971 100644
--- a/.gitlab/workflows/commitlint.yml
+++ b/.gitlab/workflows/commitlint.yml
@@ -1,6 +1,6 @@
 commitlint:
   image:
-    name: commitlint/commitlint:18.6.2
+    name: commitlint/commitlint:18.6.2@sha256:d82e66abdeda7fb4584c3206ddcf9cc4c6c9cb67e433030de0904fed3dab662a
     entrypoint: [""]
   interruptible: true
   rules:
diff --git a/.gitlab/workflows/devcontainer.yml b/.gitlab/workflows/devcontainer.yml
index 71fc291c..51dcb9cf 100644
--- a/.gitlab/workflows/devcontainer.yml
+++ b/.gitlab/workflows/devcontainer.yml
@@ -1,5 +1,5 @@
 dev-container-publish:
-  image: docker:25.0.3
+  image: docker:25.0.3@sha256:0d70c541ee98e66b8f7ece8c0e9f7910732466e337a9087c2ac2868ef0775092
   parallel:
     matrix:
       - PYTHON_VERSION:
@@ -29,7 +29,7 @@ dev-container-publish:
         --tag ${CI_REGISTRY_IMAGE}/dev:py${PYTHON_VERSION} \
         --target dev
   services:
-    - docker:25.0.3-dind
+    - docker:25.0.3-dind@sha256:0d70c541ee98e66b8f7ece8c0e9f7910732466e337a9087c2ac2868ef0775092
   stage: build
   variables:
     DOCKER_TLS_CERTDIR: /certs
diff --git a/.gitlab/workflows/release.yml b/.gitlab/workflows/release.yml
index 257c04ad..81495f80 100644
--- a/.gitlab/workflows/release.yml
+++ b/.gitlab/workflows/release.yml
@@ -12,7 +12,7 @@ pages-build:
     - make release-notes > release-notes.md
   stage: release
 release-publish:
-  image: registry.gitlab.com/gitlab-org/release-cli:v0.16.0
+  image: registry.gitlab.com/gitlab-org/release-cli:v0.16.0@sha256:5a71acbadc47c1971100f5246b09f88ba09e84ebe7769e425475dce85245a2bf
   needs:
     - pages-build
   release:
@@ -24,7 +24,7 @@ release-publish:
     - echo "Running the release job."
   stage: release
 container-publish:
-  image: docker:25.0.3
+  image: docker:25.0.3@sha256:0d70c541ee98e66b8f7ece8c0e9f7910732466e337a9087c2ac2868ef0775092
   needs:
     - release-publish
   parallel:
@@ -65,7 +65,7 @@ container-publish:
         --tag ${CI_REGISTRY_IMAGE}:py${PYTHON_VERSION}-${CI_COMMIT_TAG} \
         --target prod
   services:
-    - docker:25.0.3-dind
+    - docker:25.0.3-dind@sha256:0d70c541ee98e66b8f7ece8c0e9f7910732466e337a9087c2ac2868ef0775092
   stage: release
   variables:
     DOCKER_TLS_CERTDIR: /certs
diff --git a/.gitlab/workflows/renovate.yml b/.gitlab/workflows/renovate.yml
index 6990fb68..fcffc29d 100644
--- a/.gitlab/workflows/renovate.yml
+++ b/.gitlab/workflows/renovate.yml
@@ -3,7 +3,7 @@ renovate:
     key: ${CI_COMMIT_REF_SLUG}-renovate
     paths:
       - renovate/cache/renovate/repository/
-  image: renovate/renovate:37.202.2
+  image: renovate/renovate:37.202.2@sha256:6b5508487d42dcd36f95ff1139958f3b755bc8ff77b805b86eb1c59db943ef2f
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null
   script: renovate $RENOVATE_EXTRA_FLAG
@@ -12,7 +12,7 @@ renovate:
     LOG_LEVEL: debug
     RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate
     RENOVATE_BRANCH_PREFIX: renovate-gitlab/
-    RENOVATE_ENABLED_MANAGERS: '["pep621"]'
+    RENOVATE_ENABLED_MANAGERS: '["pep621", "gitlabci"]'
     RENOVATE_ENDPOINT: $CI_API_V4_URL
     RENOVATE_GIT_AUTHOR: Renovate GitLab Bot <gitlab@renovatebot.com>
     RENOVATE_OPTIMIZE_FOR_DISABLED: 'true'
diff --git a/.renovaterc.json b/.renovaterc.json
index eb577d2b..b0cfba92 100644
--- a/.renovaterc.json
+++ b/.renovaterc.json
@@ -4,6 +4,11 @@
         "config:best-practices",
         ":maintainLockFilesWeekly"
     ],
+    "gitlabci": {
+        "fileMatch": [
+            "^.gitlab/workflows/.*\\.yml$"
+        ]
+    },
     "ignorePaths": [
         "**/template/**"
     ]