diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml
index 5b180fff..71ab79e9 100644
--- a/.github/workflows/codex-review.yml
+++ b/.github/workflows/codex-review.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Run Codex review
         id: run_codex
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@c25d10f3f498316d4b2496cc4c6dd58057a7b031 # v1.6
         env:
           # Use env variables to handle untrusted metadata safely
           PR_TITLE: ${{ github.event.pull_request.title }}
@@ -70,7 +70,7 @@ jobs:
 
     steps:
       - name: Post Codex review as PR comment
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           CODEX_FINAL_MESSAGE: |
             ${{ format('## Codex Review
diff --git a/changelog.md b/changelog.md
index f8bcafe4..4da5a22d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -49,6 +49,7 @@ Internal
 * Move keybinding utilities to a new `key_binding_utils.py`.
 * Move interactive utilities to `interactive_utils.py`.
 * Modernize orthography of prompt_toolkit filters.
+* Pin all GitHub Actions to hashes.
 
 
 1.67.1 (2026/03/28)