diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 6e033bb..4eba6da 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -32,10 +32,10 @@ jobs:
       package: ${{ steps.setup.outputs.package }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
           cache: false
@@ -48,7 +48,7 @@ jobs:
           PACKAGE="${{ env.DOCKER_REGISTRY }}/${DOCKER_REPO}:20m"
           echo "package=${PACKAGE}" >> $GITHUB_OUTPUT
           echo "Generated name: ${PACKAGE}" >> $GITHUB_STEP_SUMMARY
-      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
           version: '~> v2'
           args: release --snapshot --clean
@@ -103,7 +103,7 @@ jobs:
           - { test: test-mdbook, webserver: nginx, builder: "paketobuildpacks/ubuntu-noble-builder:latest", runner: ubuntu-24.04-arm }
           - { test: test-mdbook, webserver: httpd, builder: "paketobuildpacks/ubuntu-noble-builder:latest", runner: ubuntu-24.04-arm }
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - run: docker pull ${PACKAGE}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eb2ee1f..06e5b94 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,10 +15,18 @@ jobs:
       DOCKER_REGISTRY: "r.planetary-quantum.com"
       DOCKER_REPO: "buildpacks"
     steps:
-      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
+      - id: load-registry-credentials
+        uses: 1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_RUNWAYOSS_SERVICE_ACCOUNT }}
+          REGISTRY_USERNAME: op://Runway/robot-harbor-buildpacks/username
+          REGISTRY_PASSWORD: op://Runway/robot-harbor-buildpacks/password
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
         with:
-          app-id: ${{ secrets.RUNWAY_CI_BOT_APP_ID }}
+          client-id: ${{ secrets.RUNWAY_CI_BOT_APP_ID }}
           private-key: ${{ secrets.RUNWAY_CI_BOT_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           permission-contents: write
@@ -34,9 +42,9 @@ jobs:
       - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.BP_QUANTUM_DOCKER_USERNAME }}
-          password: ${{ secrets.BP_QUANTUM_DOCKER_PASSWORD }}
-      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
+          username: ${{ steps.load-registry-credentials.outputs.REGISTRY_USERNAME }}
+          password: ${{ steps.load-registry-credentials.outputs.REGISTRY_PASSWORD }}
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
           version: '~> v2'
           args: release --clean
diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml
index 50cc6f5..aa7166a 100644
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -16,15 +16,15 @@ jobs:
     env:
       BRANCH_NAME: automation/meta-buildpack/update
     steps:
-      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
         with:
-          app-id: ${{ secrets.RUNWAY_CI_BOT_APP_ID }}
+          client-id: ${{ secrets.RUNWAY_CI_BOT_APP_ID }}
           private-key: ${{ secrets.RUNWAY_CI_BOT_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           permission-pull-requests: write
           permission-contents: write
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ steps.app-token.outputs.token }}
           persist-credentials: true