diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a6f4e4c..0781d24 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,9 +3,12 @@ name: Checkmarx One Containers-Resolver
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 7cbc0d4..d5cda64 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   auto-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - name: Fetch dependabot metadata
diff --git a/.github/workflows/dependabot-rebase-conflicts.yml b/.github/workflows/dependabot-rebase-conflicts.yml
index b56ec2d..7fbf340 100644
--- a/.github/workflows/dependabot-rebase-conflicts.yml
+++ b/.github/workflows/dependabot-rebase-conflicts.yml
@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   rebase-conflicts:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Rebase conflicting Dependabot PRs
         run: |
diff --git a/.github/workflows/pr-name-validation.yml b/.github/workflows/pr-name-validation.yml
index a39fa29..8304fa5 100644
--- a/.github/workflows/pr-name-validation.yml
+++ b/.github/workflows/pr-name-validation.yml
@@ -6,9 +6,12 @@ on:
   push:
     branches: main # check how it can be always the default, either master or main or whatever
 
+permissions:
+  contents: read
+
 jobs:
   validate_jira_key:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Validate Jira Key
         if: ${{ github.event_name != 'push' }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 14e91d9..0e4809c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ on:
 jobs:
   tag-and-release:
     if: github.event.pull_request.merged == true
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -53,7 +53,7 @@ jobs:
           git push origin $new_tag
 
       - name: Create release from tag
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         with: