diff --git a/.github/.github/workflows/lighthouse.yml b/.github/.github/workflows/lighthouse.yml
index a766f75..119ca82 100644
--- a/.github/.github/workflows/lighthouse.yml
+++ b/.github/.github/workflows/lighthouse.yml
@@ -1,10 +1,14 @@
 name: Lighthouse
+permissions:
+  contents: read
 on: [push, pull_request]
 jobs:
   CI:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.7
         uses: actions/setup-python@v1
@@ -22,7 +26,7 @@ jobs:
           make html
 
       - name: Run Lighthouse against example docs build
-        uses: treosh/lighthouse-ci-action@v2
+        uses: treosh/lighthouse-ci-action@005e1277a8a17ea0b0ef6c3332d59a7cd0f730ce # v2
         with:
           configPath: "./lighthouserc.json"
           temporaryPublicStorage: true
diff --git a/.github/.github/workflows/pre-commit.yaml b/.github/.github/workflows/pre-commit.yaml
index 82e8821..3370c9b 100644
--- a/.github/.github/workflows/pre-commit.yaml
+++ b/.github/.github/workflows/pre-commit.yaml
@@ -1,4 +1,6 @@
 name: Linting
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,5 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
-      - uses: pre-commit/action@v2.0.0
+      - uses: pre-commit/action@0764670bf370aab253130d534e1eda7ff497dc60 # v2.0.0
diff --git a/.github/.github/workflows/publish-pypi.yml b/.github/.github/workflows/publish-pypi.yml
index 78cbfe6..1009f57 100644
--- a/.github/.github/workflows/publish-pypi.yml
+++ b/.github/.github/workflows/publish-pypi.yml
@@ -1,4 +1,6 @@
 name: Push to PyPI
+permissions:
+  contents: read
 
 on:
   push:
@@ -8,10 +10,15 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v1
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.7
         uses: actions/setup-python@v1
@@ -29,7 +36,7 @@ jobs:
           python setup.py sdist bdist_wheel
 
       - name: Publish mpl-sphinx-theme
-        uses: pypa/gh-action-pypi-publish@master
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           user: __token__
           password: ${{ secrets.pypi_token }}
diff --git a/.github/.githubold/workflows/main.yml b/.github/.githubold/workflows/main.yml
index c6864b5..94d61c5 100644
--- a/.github/.githubold/workflows/main.yml
+++ b/.github/.githubold/workflows/main.yml
@@ -5,7 +5,7 @@ jobs:
     name: Run CircleCI artifacts redirector
     steps:
       - name: GitHub Action step
-        uses: larsoner/circleci-artifacts-redirector-action@master
+        uses: scientific-python/circleci-artifacts-redirector-action@7eafdb60666f57706a5525a2f5eb76224dc8779b  # v1.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           artifact-path: 0/docs/_build/html/index.html
diff --git a/.gitignore b/.gitignore
index bacf9c1..2d088b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /mpl_sphinx_theme.egg-info/
 /mpl_sphinx_theme/__pycache__/
 build
+dist
\ No newline at end of file