diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 12228a80..30b53374 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,11 +1,30 @@
-permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
+# Copyright 2022 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 name: release
 on: [push, pull_request]
+
+permissions:
+  contents: read  # This is required for actions/checkout
+
+
 jobs:
   fmt:
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: fmt
@@ -15,6 +34,9 @@ jobs:
   sast:
     needs: [fmt]
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: sast
@@ -24,6 +46,9 @@ jobs:
   unit-test:
     needs: [fmt]
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: unit-test
@@ -68,7 +93,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Download GoReleaser
-        run: go install github.com/goreleaser/goreleaser@latest
+        run: go install github.com/goreleaser/goreleaser@v1.23.0
 
       - name: Run GoReleaser
         uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml
index 415eb405..6fdd09b4 100644
--- a/.github/workflows/verify-licence.yml
+++ b/.github/workflows/verify-licence.yml
@@ -17,7 +17,7 @@ jobs:
           with:
             go-version: '1.18.x'
         - name: Install addlicense
-          run: go install github.com/google/addlicense@latest
+          run: go install github.com/google/addlicense@v1.1.1
         - name: Check license headers
           run: |
             set -e
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
index 1b031473..2e353ed2 100644
--- a/.github/workflows/witness.yml
+++ b/.github/workflows/witness.yml
@@ -40,9 +40,15 @@ on:
                 required: true
                 type: string
 
+permissions:
+  contents: read
+
 jobs:
     witness:
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          id-token: write
         steps:
           - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
diff --git a/dev/Dockerfile.go-builder b/dev/Dockerfile.go-builder
index 2f98ea11..9bf246c8 100644
--- a/dev/Dockerfile.go-builder
+++ b/dev/Dockerfile.go-builder
@@ -1,2 +1,2 @@
-FROM golang:1.21.3
+FROM golang:1.21.3@sha256:b113af1e8b06f06a18ad41a6b331646dff587d7a4cf740f4852d16c49ed8ad73
 COPY  ./bin/witness /usr/bin