diff --git a/.github/actions/setup-and-build/action.yml b/.github/actions/setup-and-build/action.yml
index f00a745c59..5ee56c5982 100644
--- a/.github/actions/setup-and-build/action.yml
+++ b/.github/actions/setup-and-build/action.yml
@@ -32,7 +32,7 @@ runs:
         run_install: false
 
     - name: Setup Node.js
-      uses: useblacksmith/setup-node@v5
+      uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5.0.4
       with:
         node-version: ${{ inputs.node-version }}
         cache: pnpm
@@ -52,7 +52,7 @@ runs:
 
     - name: Cache artifacts
       if: inputs.enable-caching == 'true' && inputs.skip-build == 'false'
-      uses: useblacksmith/cache@v5
+      uses: useblacksmith/cache@c5fe29eb0efdf1cf4186b9f7fcbbcbc0cf025662 # v5.0.2
       with:
         path: ${{ inputs.cache-paths }}
         key: ${{ github.sha }}-${{ inputs.cache-suffix }}
diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml
index 8f534f1494..4c5a8062c5 100644
--- a/.github/workflows/ci-pull-requests.yml
+++ b/.github/workflows/ci-pull-requests.yml
@@ -46,7 +46,7 @@ jobs:
 
       - name: Upload Frontend Build Artifacts
         if: steps.paths-filter.outputs.frontend == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: editor-ui-dist
           path: packages/frontend/editor-ui/dist/
@@ -75,7 +75,7 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Download Frontend Build Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: editor-ui-dist
           path: packages/frontend/editor-ui/dist/
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
index 39f075cdb9..f0964f7834 100644
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@@ -364,10 +364,12 @@ jobs:
     if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped'
     steps:
       - name: Call Success URL
-        if: github.event_name == 'workflow_dispatch' && github.event.inputs.success_url != ''
+        env:
+          SUCCESS_URL: ${{ github.event.inputs.success_url }}
+        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.success_url != '' }}
         run: |
-          echo "Calling success URL: ${{ github.event.inputs.success_url }}"
-          curl -v "${{ github.event.inputs.success_url }}" || echo "Failed to call success URL"
+          echo "Calling success URL: ${{ env.SUCCESS_URL }}"
+          curl -v "${{ env.SUCCESS_URL }}" || echo "Failed to call success URL"
         shell: bash
 
   security-scan:
diff --git a/.github/workflows/e2e-flaky.yml b/.github/workflows/e2e-flaky.yml
index 847c159007..a703ca16d4 100644
--- a/.github/workflows/e2e-flaky.yml
+++ b/.github/workflows/e2e-flaky.yml
@@ -61,8 +61,10 @@ jobs:
         run: pnpm cypress:install
 
       - name: Run Flaky Debug Command
-        run: pnpm run debug:flaky:e2e "${{ github.event.inputs.test_name }}" ${{ github.event.inputs.burn_count }}
         env:
+          TEST_NAME: ${{ github.event.inputs.test_name }}
+          BURN_COUNT: ${{ github.event.inputs.burn_count }}
           NODE_OPTIONS: --dns-result-order=ipv4first
           E2E_TESTS: true
           SHELL: /bin/sh
+        run: pnpm run debug:flaky:e2e "${{ env.TEST_NAME }}" "${{ env.BURN_COUNT }}"
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 9d6e88f41e..57b303ee3b 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -35,8 +35,10 @@ jobs:
     if: ${{ github.event.inputs.start-url != '' }}
     steps:
       - name: Calls start URL
+        env:
+          START_URL: ${{ github.event.inputs.start-url }}
         run: |
-          [[ "${{github.event.inputs.start-url}}" != "" ]] && curl -v -X POST -d 'url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}' ${{github.event.inputs.start-url}} || echo ""
+          [[ "${{ env.START_URL }}" != "" ]] && curl -v -X POST -d 'url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}' "${{ env.START_URL }}" || echo ""
         shell: bash
 
   run-e2e-tests:
@@ -65,6 +67,8 @@ jobs:
           message: E2E failure for branch `${{ inputs.branch || 'master' }}` deployed by ${{ inputs.user || 'schedule' }} (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
       - name: Call Success URL - optionally
+        env:
+          SUCCESS_URL: ${{ github.event.inputs.success-url }}
         run: |
-          [[ "${{github.event.inputs.success-url}}" != "" ]] && curl -v ${{github.event.inputs.success-url}} || echo ""
+          [[ "${{ env.SUCCESS_URL }}" != "" ]] && curl -v "${{ env.SUCCESS_URL }}" || echo ""
         shell: bash
diff --git a/.github/workflows/linting-reusable.yml b/.github/workflows/linting-reusable.yml
index 18eed2ee8d..d56b95468b 100644
--- a/.github/workflows/linting-reusable.yml
+++ b/.github/workflows/linting-reusable.yml
@@ -29,7 +29,7 @@ jobs:
           ref: ${{ inputs.ref }}
 
       - name: Setup Environment
-        uses: ./.github/actions/setup-and-build
+        uses: n8n-io/n8n/.github/actions/setup-and-build@7e870b8f7f5a39bb8bf82d1f42b6d44febc0082c # v1.100.1
         with:
           node-version: ${{ inputs.nodeVersion }}
           enable-caching: true
diff --git a/.github/workflows/release-create-pr.yml b/.github/workflows/release-create-pr.yml
index ee71d4f5cf..a5b00a3a16 100644
--- a/.github/workflows/release-create-pr.yml
+++ b/.github/workflows/release-create-pr.yml
@@ -56,8 +56,10 @@ jobs:
         run: node .github/scripts/update-changelog.mjs
 
       - name: Push the base branch
+        env:
+          BASE_BRANCH: ${{ github.event.inputs.base-branch }}
         run: |
-          git push -f origin refs/remotes/origin/${{ github.event.inputs.base-branch }}:refs/heads/release/${{ env.NEXT_RELEASE }}
+          git push -f origin "refs/remotes/origin/${{ env.BASE_BRANCH }}:refs/heads/release/${{ env.NEXT_RELEASE }}"
 
       - name: Push the release branch, and Create the PR
         uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
diff --git a/.github/workflows/release-push-to-channel.yml b/.github/workflows/release-push-to-channel.yml
index 6f4f8973a0..3fe73de0ef 100644
--- a/.github/workflows/release-push-to-channel.yml
+++ b/.github/workflows/release-push-to-channel.yml
@@ -27,8 +27,10 @@ jobs:
     steps:
       - name: Check Version Format
         id: check_version
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
         run: |
-          input_version="${{ github.event.inputs.version }}"
+          input_version="${{ env.INPUT_VERSION }}"
           version_regex='^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$'
 
           if [[ "$input_version" =~ $version_regex ]]; then
diff --git a/.github/workflows/test-workflows-callable.yml b/.github/workflows/test-workflows-callable.yml
index d68d9567bf..6959d2f370 100644
--- a/.github/workflows/test-workflows-callable.yml
+++ b/.github/workflows/test-workflows-callable.yml
@@ -43,7 +43,7 @@ jobs:
           ref: ${{ inputs.git_ref }}
 
       - name: Setup Environment and Build Project
-        uses: ./.github/actions/setup-and-build
+        uses: n8n-io/n8n/.github/actions/setup-and-build@7e870b8f7f5a39bb8bf82d1f42b6d44febc0082c # v1.100.1
         with:
           node-version: '22.x'
           cache-suffix: 'workflow-test'
@@ -63,7 +63,6 @@ jobs:
       - name: Import workflows
         run: ./packages/cli/bin/n8n import:workflow --separate --input=test-workflows/workflows
 
-
       - name: Copy static assets
         run: |
           mkdir -p /tmp/testData/pdfs
@@ -76,8 +75,8 @@ jobs:
         run: ./packages/cli/bin/n8n executeBatch --shallow --skipList=test-workflows/skipList.json --githubWorkflow --shortOutput --output=test-results.json --concurrency=16 --compare=test-workflows/snapshots
         continue-on-error: true
         env:
-          SKIP_STATISTICS_EVENTS: "true"
-          DB_SQLITE_POOL_SIZE: "4"
+          SKIP_STATISTICS_EVENTS: 'true'
+          DB_SQLITE_POOL_SIZE: '4'
           N8N_SENTRY_DSN: ${{ secrets.CI_SENTRY_DSN }}
 
       - name: Report test outcome
@@ -212,4 +211,4 @@ jobs:
             echo "Successfully sent data to webhook."
           else
             echo "::error::Webhook call failed with status code $http_response_code."
-          fi
\ No newline at end of file
+          fi
diff --git a/.github/workflows/units-tests-reusable.yml b/.github/workflows/units-tests-reusable.yml
index 1de459e41a..a47fa0d82b 100644
--- a/.github/workflows/units-tests-reusable.yml
+++ b/.github/workflows/units-tests-reusable.yml
@@ -48,7 +48,7 @@ jobs:
           ref: ${{ inputs.ref }}
 
       - name: Setup Environment and Build Project
-        uses: ./.github/actions/setup-and-build
+        uses: n8n-io/n8n/.github/actions/setup-and-build@7e870b8f7f5a39bb8bf82d1f42b6d44febc0082c # v1.100.1
         with:
           node-version: ${{ inputs.nodeVersion }}
           skip-build: ${{ inputs.cacheKey != '' }}