diff --git a/.github/workflows/kiuwan.yml b/.github/workflows/kiuwan.yml
index c94bc5b..264c817 100644
--- a/.github/workflows/kiuwan.yml
+++ b/.github/workflows/kiuwan.yml
@@ -2,11 +2,11 @@ name: Kiuwan
 
 on:
     pull_request:
-        types: [ opened, synchronize, reopened ]
+        types: [opened, synchronize, reopened]
 
 jobs:
     scan:
-        uses: TransbankDevelopers/transbank-github-actions-templates/.github/workflows/kiuwan-pr-scan.yml@2a2837602d7636c5f31f97209ae60a0fe74c2c94
+        uses: TransbankDevelopers/transbank-github-actions-templates/.github/workflows/kiuwan-pr-scan.yml@02f92d3b1c1b56c6242aa7c76eb9479fd82187aa
         with:
             project_name: td-webpay-sdk-python
             source_path: .
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f8fafdd..499b8b8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,12 +12,12 @@ jobs:
             id-token: write
 
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
               with:
                   fetch-depth: 0
 
             - name: Set up Python
-              uses: actions/setup-python@v5
+              uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
               with:
                   python-version: "3.12"
 
@@ -39,6 +39,6 @@ jobs:
               run: pipenv run twine check dist/*
 
             - name: Publish to PyPI
-              uses: pypa/gh-action-pypi-publish@release/v1
+              uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b
               with:
                   repository-url: https://upload.pypi.org/legacy/
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
index 57a51d2..fc41e01 100644
--- a/.github/workflows/sonar.yml
+++ b/.github/workflows/sonar.yml
@@ -1,21 +1,20 @@
 name: Sonar Scan
 on:
-    push:
-        branches:
-            - master
-            - develop
     pull_request:
         types: [opened, synchronize, reopened]
+permissions:
+    contents: read
+    pull-requests: read
 jobs:
     sonarqube:
         name: SonarQube
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
               with:
                   fetch-depth: 0
             - name: Set up Python
-              uses: actions/setup-python@v5
+              uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
             - name: Install tox
               run: |
                   pip install tox
@@ -23,7 +22,7 @@ jobs:
               run: |
                   tox -e cov
             - name: SonarQube Scan
-              uses: SonarSource/sonarqube-scan-action@v5
+              uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}