diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
index 21657fa7..604d76bf 100644
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@@ -6,8 +6,19 @@ permissions:
 on: [workflow_call, workflow_dispatch]
 
 jobs:
+  workflowcheck:
+    name: Check validity of GitHub workflows
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Ensure GitHub actions are valid
+        run: actionlint -shellcheck "" # run *without* shellcheck
+
   check_clang_format:
     name: "Coding style"
+    needs: [workflowcheck]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml
index 3bbb6650..e69de29b 100644
--- a/.github/workflows/check_workflows.yml
+++ b/.github/workflows/check_workflows.yml
@@ -1,14 +0,0 @@
-name: Check GitHub workflows
-
-on: [pull_request, push, workflow_call]
-
-jobs:
-  workflowcheck:
-    name: Check validity of GitHub workflows
-    runs-on: ubuntu-latest
-    container: openquantumsafe/ci-ubuntu-latest:latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
-      - name: Ensure GitHub actions are valid
-        run: actionlint -shellcheck "" # run *without* shellcheck
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index d8e51f10..ee029f91 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -261,7 +261,7 @@ jobs:
       - name: Update container
         run: apt update && apt install -y cmake ninja-build gcc libssl-dev git
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Full build
         run: LIBOQS_BRANCH=main ./scripts/fullbuild.sh
       - name: Test
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 474684e2..379dd860 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -92,7 +92,7 @@ jobs:
       - name: Install prerequisites
         run: brew install liboqs
       - name: Checkout oqsprovider code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Build and test oqsprovider
         # try this only if brew'd liboqs knows about ML-KEM:
         run: |
diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
index 6c6e7f83..e439e418 100644
--- a/.github/workflows/release-test.yml
+++ b/.github/workflows/release-test.yml
@@ -71,11 +71,11 @@ jobs:
             && echo "liboqs_ref=$liboqs_ref" >> "$GITHUB_ENV" \
             || echo "liboqs_ref=main" >> "$GITHUB_ENV"
       - name: Checkout oqs-provider on requested ref if it exists; otherwise, fall back to main
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           ref: ${{ env.provider_ref }}
       - name: Checkout liboqs at requested ref if it exists; otherwise, fall back to main
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           repository: open-quantum-safe/liboqs
           path: liboqs