diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml
index f2a9f832d6bb..c2bd602f9a59 100644
--- a/.github/workflows/pr-validate.yml
+++ b/.github/workflows/pr-validate.yml
@@ -52,6 +52,9 @@ env:
   MAVEN_OPTS: -Xmx3500m
   CQ_MAVEN_ARGS: -V -ntp -e -Daether.connector.http.connectionMaxTtl=120
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   check-format:
     if: github.repository == 'apache/camel-quarkus'
@@ -65,9 +68,9 @@ jobs:
       if: github.base_ref == 'quarkus-main'
       run: |
         echo "BRANCH_OPTIONS=-Poss-snapshots" >> $GITHUB_ENV
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # v4.2.2
       with:
         distribution: 'temurin'
         java-version: '17'