diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 174a05ae4..83cc9a38d 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -6,7 +6,7 @@ on:
     branches:
       - main
   release:
-    types: [published]
+    types: [ published ]
 
 jobs:
   build-deb:
@@ -16,16 +16,21 @@ jobs:
       matrix:
         distro:
           - debian-unstable
+          - debian-trixie
+          - debian-bookworm
           - debian-bullseye
+          - ubuntu-noble
           - ubuntu-jammy
           - ubuntu-focal
+
+    # Pin your dependencies with https://github.com/mheap/pin-github-action
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # pin@v2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
 
       # Determine which PPA we should upload to
       - name: PPA
@@ -40,27 +45,49 @@ jobs:
         env:
           REF: ${{ github.ref }}
 
-      - uses: legoktm/gh-action-auto-dch@18025761b70898aac9ddb5bdc726bcd083926714 # master
+      - uses: legoktm/gh-action-auto-dch@2b7d6a33db93a408d4b5e2edf38be7fd578b11d7 # pin@main
         with:
           fullname: Kiwix builder
           email: release+launchpad@kiwix.org
           distro: ${{ matrix.distro }}
 
-      - uses: legoktm/gh-action-build-deb@4f3fbf87de8bf0870f44624693cae17b7ad34ca2 # debian-unstable
+      - uses: legoktm/gh-action-build-deb@7a6b22239275ae4e425fefc6f1aeb1118160500d # pin@debian-unstable
         if: matrix.distro == 'debian-unstable'
         name: Build package for debian-unstable
         id: build-debian-unstable
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@1f7501377e7c229f373748af433e5c3818eeae6e # debian-bullseye
+      - uses: legoktm/gh-action-build-deb@b47978ba8498dc8b8153cc3b5f99a5fc1afa5de1 # pin@debian-trixie
+        if: matrix.distro == 'debian-trixie'
+        name: Build package for debian-trixie
+        id: build-debian-trixie
+        with:
+          args: --no-sign
+
+      - uses: legoktm/gh-action-build-deb@1f4e86a6bb34aaad388167eaf5eb85d553935336 # pin@debian-bookworm
+        if: matrix.distro == 'debian-bookworm'
+        name: Build package for debian-bookworm
+        id: build-debian-bookworm
+        with:
+          args: --no-sign
+
+      - uses: legoktm/gh-action-build-deb@084b4263209252ec80a75d2c78a586192c17f18d # pin@debian-bullseye
         if: matrix.distro == 'debian-bullseye'
         name: Build package for debian-bullseye
         id: build-debian-bullseye
         with:
           args: --no-sign
 
-      - uses: legoktm/gh-action-build-deb@56d1c4bc50f5525fa9b66ac6d7a984ece0428d46 # ubuntu-jammy
+      - uses: legoktm/gh-action-build-deb@9114a536498b65c40b932209b9833aa942bf108d # pin@ubuntu-noble
+        if: matrix.distro == 'ubuntu-noble'
+        name: Build package for ubuntu-noble
+        id: build-ubuntu-noble
+        with:
+          args: --no-sign
+          ppa: ${{ steps.ppa.outputs.ppa }}
+
+      - uses: legoktm/gh-action-build-deb@1553bc52b826020691af83a7354a047f2727106c # pin@ubuntu-jammy
         if: matrix.distro == 'ubuntu-jammy'
         name: Build package for ubuntu-jammy
         id: build-ubuntu-jammy
@@ -68,7 +95,7 @@ jobs:
           args: --no-sign
           ppa: ${{ steps.ppa.outputs.ppa }}
 
-      - uses: legoktm/gh-action-build-deb@e58c0b09a3955e39a4ab83ffe03025d622dda039 # ubuntu-focal
+      - uses: legoktm/gh-action-build-deb@77900afcbdc12874b7177e0e9fca2f4da043cd05 # pin@ubuntu-focal
         if: matrix.distro == 'ubuntu-focal'
         name: Build package for ubuntu-focal
         id: build-ubuntu-focal
@@ -76,12 +103,12 @@ jobs:
           args: --no-sign
           ppa: ${{ steps.ppa.outputs.ppa }}
 
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4
         with:
           name: Packages for ${{ matrix.distro }}
           path: output
 
-      - uses: legoktm/gh-action-dput@a41ede69b89b473fb9de31db5f82aef098ca6492 # master
+      - uses: legoktm/gh-action-dput@4f46c373c7d114c8885c376be07f9ad5490c4f51 # pin@main
         name: Upload dev package
         # Only upload on pushes to main
         if: github.event_name == 'push' && github.event.ref == 'refs/heads/main' && startswith(matrix.distro, 'ubuntu-')
@@ -90,7 +117,7 @@ jobs:
           repository: ppa:kiwixteam/dev
           packages: output/*_source.changes
 
-      - uses: legoktm/gh-action-dput@a41ede69b89b473fb9de31db5f82aef098ca6492 # master
+      - uses: legoktm/gh-action-dput@4f46c373c7d114c8885c376be07f9ad5490c4f51 # pin@main
         name: Upload release package
         if: github.event_name == 'release' && startswith(matrix.distro, 'ubuntu-')
         with: