diff --git a/.github/workflows/app.yaml b/.github/workflows/app.yaml
index 4ff87d2..855357f 100644
--- a/.github/workflows/app.yaml
+++ b/.github/workflows/app.yaml
@@ -11,20 +11,20 @@ jobs:
   prepare:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: jdx/mise-action@v2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2
       with:
         version: 2024.10.7
         install: true
         experimental: true
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         go-version: '1.23.4'
         cache-dependency-path: 'app/go.sum'
     - run: go mod tidy
     - run: task gen
     - name: Save task cache
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
       with:
         path: ./.task
         key: task-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.task/checksum/*') }}
@@ -35,21 +35,21 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Restore task cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
       with:
         path: ./.task
         key: task-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.task/checksum/*') }}
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2
       with:
         version: 2024.10.7
         install: false
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         go-version: '1.23.4'
         cache-dependency-path: 'app/go.sum'
-    - uses: golangci/golangci-lint-action@v6
+    - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6
       with:
         version: v1.61.0
         working-directory: ./app
@@ -59,17 +59,17 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Restore task cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
       with:
         path: ./.task
         key: task-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.task/checksum/*') }}
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2
       with:
         version: 2024.10.7
         install: false
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         go-version: '1.23.4'
         cache-dependency-path: 'app/go.sum'
@@ -79,17 +79,17 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Restore task cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
       with:
         path: ./.task
         key: task-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.task/checksum/*') }}
-    - uses: jdx/mise-action@v2
+    - uses: jdx/mise-action@5083fe46898c414b2475087cc79da59e7da859e8 # v2
       with:
         version: 2024.10.7
         install: false
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         go-version: '1.23.4'
         cache-dependency-path: 'app/go.sum'
diff --git a/app/Dockerfile b/app/Dockerfile
index a9a3053..809bd5d 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23.4 AS builder
+FROM golang:1.23.4@sha256:7ea4c9dcb2b97ff8ee80a67db3d44f98c8ffa0d191399197007d8459c1453041 AS builder
 
 ARG LDFLAGS
 ENV LDFLAGS=${LDFLAGS}
@@ -9,7 +9,7 @@ RUN go mod download
 COPY . ./
 RUN CGO_ENABLED=0 go build -ldflags="${LDFLAGS}" -o dist/ ./cmd/countup/...
 
-FROM gcr.io/distroless/static-debian12
+FROM gcr.io/distroless/static-debian12@sha256:5c7e2b465ac6a2a4e5f4f7f722ce43b147dabe87cb21ac6c4007ae5178a1fa58
 WORKDIR /app
 USER nonroot:nonroot
 COPY --from=builder --chown=nonroot:nonroot /src/dist /app/bin
diff --git a/compose.yaml b/compose.yaml
index dc5833c..6ee7c85 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -38,7 +38,7 @@ services:
       OAUTH_REDIRECT_URL: https://localhost:4043/login/google/callback
 
   traefik:
-    image: traefik:v3.2.1
+    image: traefik:v3.2.1@sha256:1a3e33f976d10f45efd613aa64814867068bf51c782599a70ef370447686291b
     labels:
       service: traefik
       tier: ingress
@@ -51,7 +51,7 @@ services:
     - ./infra/environments/local/compose/traefik:/etc/traefik
 
   postgres:
-    image: postgres:15.8-alpine
+    image: postgres:15.8-alpine@sha256:8b963ea3038c3b32182ee7f592ccde21242fa7c5fd9d1b72aa333c27f1bfc809
     labels:
       service: postgres
       component: primary
@@ -93,7 +93,7 @@ services:
     - ./app/schema/migrations:/app/migrations
 
   postgres-exporter:
-    image: quay.io/prometheuscommunity/postgres-exporter:v0.15.0
+    image: quay.io/prometheuscommunity/postgres-exporter:v0.15.0@sha256:386b12d19eab2a37d7cd8ca8b4c7491cc7a830d9581f49af6c98a393da9605e6
     labels:
       service: postgres
       component: exporter
@@ -110,7 +110,7 @@ services:
       DATA_SOURCE_PASS: countup
 
   grafana:
-    image: grafana/grafana:11.1.4
+    image: grafana/grafana:11.1.4@sha256:886b56d5534e54f69a8cfcb4b8928da8fc753178a7a3d20c3f9b04b660169805
     labels:
       service: grafana
       tier: observability
@@ -127,7 +127,7 @@ services:
     - GF_INSTALL_PLUGINS=https://storage.googleapis.com/integration-artifacts/grafana-lokiexplore-app/grafana-lokiexplore-app-latest.zip;grafana-lokiexplore-app
 
   otel-collector:
-    image: otel/opentelemetry-collector-contrib:0.107.0
+    image: otel/opentelemetry-collector-contrib:0.107.0@sha256:b65527791431d76d058b2813748a3f4a8912540d7b23beac2f6b4e02c872f5b7
     labels:
       service: otel-collector
       tier: observability
@@ -150,7 +150,7 @@ services:
     - ./infra/environments/local/compose/otel-collector/config.yaml:/etc/otel-collector/config.yaml
 
   promtail:
-    image: grafana/promtail:3.1.1
+    image: grafana/promtail:3.1.1@sha256:48fba41d9f08c6a56a85b078529dc8550a1809d3e7a9674982e9e9bfbdc854c1
     labels:
       service: promtail
       tier: observability
@@ -167,7 +167,7 @@ services:
     - ./infra/environments/local/compose/promtail/config.yaml:/etc/promtail/config.yaml
 
   loki:
-    image: grafana/loki:3.1.1
+    image: grafana/loki:3.1.1@sha256:e689cc634841c937de4d7ea6157f17e29cf257d6a320f1c293ab18d46cfea986
     labels:
       service: loki
       tier: observability
@@ -180,7 +180,7 @@ services:
     - ./infra/environments/local/compose/loki/config.yaml:/etc/loki/config.yaml
 
   tempo:
-    image: grafana/tempo:2.5.0
+    image: grafana/tempo:2.5.0@sha256:f0200a9bff6d14eb3a4332194f7b77c37ee1a3535e7e41db024d95aab6f1b4e8
     labels:
       service: tempo
       tier: observability
@@ -193,7 +193,7 @@ services:
     - ./infra/environments/local/compose/tempo/config.yaml:/etc/tempo/config.yaml
 
   mimir:
-    image: grafana/mimir:2.13.0
+    image: grafana/mimir:2.13.0@sha256:8bdec4684b1a8011d5f5f7710fcfd89c42139b181978325b65747e47376f40d7
     labels:
       service: mimir
       tier: observability