diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 17cba8b4..d891026c 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -3,10 +3,11 @@ name: Backport merged pull request
 
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
-    types: [closed]
+    types: [closed, labeled]
 permissions:
   contents: write # so it can comment
   pull-requests: write # so it can create pull requests
+  actions: write # so it can create pull requests on actions/workflows
 jobs:
   backport:
     name: Backport pull request
@@ -14,6 +15,11 @@ jobs:
     # Don't run on closed unmerged pull requests
     if: github.event.pull_request.merged
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Create backport pull requests
-        uses: korthout/backport-action@v2
+        uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
+        with:
+          experimental: >
+            {
+              "conflict_resolution": "draft_commit_conflicts"
+            }
diff --git a/.github/workflows/firmware.yml b/.github/workflows/firmware.yml
index b28c0102..7567a732 100644
--- a/.github/workflows/firmware.yml
+++ b/.github/workflows/firmware.yml
@@ -22,7 +22,7 @@ jobs:
       build_target_json: ${{ steps.set_target.outputs.build_target }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Set target matrix
         id: set_target
         shell: bash
@@ -44,7 +44,7 @@ jobs:
           sudo rm -rf /usr/local/lib/android
           sudo rm -rf /opt/ghc
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: Install build dependencies
@@ -57,7 +57,7 @@ jobs:
           make BROKEN=1 GLUON_TARGETS=${{ matrix.target }} V=s
           echo "status=success" >> $GITHUB_OUTPUT
       - name: Upload firmware ${{ matrix.target }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: steps.compile.outputs.status == 'success'
         with:
           name: ${{ matrix.target }}_output
@@ -70,7 +70,7 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       - name: Display structure of artifacts
         run: ls -R
       - name: Create tar.gz files
@@ -80,7 +80,7 @@ jobs:
             tar zcvf "${output}.tar.gz" "${output}"
           done
       - name: Create Release & Upload Release Assets
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
         with:
           # Note: If there is no release name specified, releases created in
           # the GitHub UI do not trigger a failure and are modified instead.