diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bef2db12..342efa3f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -24,16 +24,16 @@ jobs:
         - 'oldstable'
 
     steps:
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version: ${{matrix.go-version}}
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: test
       run: make testci
 
-    - uses: codecov/codecov-action@v4
+    - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
       if: ${{ matrix.go-version == 'stable' }}
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
@@ -42,12 +42,12 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: 'stable'
 
-      - uses: golangci/golangci-lint-action@v6
+      - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 72e5052e..409b3914 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -27,22 +27,22 @@ jobs:
       packages: write
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/metadata-action@v5
+      - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             mccutchen/go-httpbin
@@ -61,7 +61,7 @@ jobs:
             type=sha,format=short,enable=${{ github.event_name == 'pull_request' }}
         id: meta
 
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           platforms: linux/amd64,linux/arm64
           push: true
diff --git a/.golangci.yaml b/.golangci.yaml
index 3ed85627..007ef875 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,3 +1,4 @@
+version: "2"
 run:
   modules-download-mode: readonly
 
diff --git a/httpbin/digest/digest.go b/httpbin/digest/digest.go
index 9b1e6667..818c351c 100644
--- a/httpbin/digest/digest.go
+++ b/httpbin/digest/digest.go
@@ -70,8 +70,8 @@ func Challenge(realm string, algorithm digestAlgorithm) string {
 // sanitizeRealm tries to ensure that a given realm does not include any
 // characters that will trip up our extremely simplistic header parser.
 func sanitizeRealm(realm string) string {
-	realm = strings.Replace(realm, `"`, "", -1)
-	realm = strings.Replace(realm, ",", "", -1)
+	realm = strings.ReplaceAll(realm, `"`, "")
+	realm = strings.ReplaceAll(realm, ",", "")
 	return realm
 }