diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c671662667..aee7436579 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -49,7 +49,7 @@ jobs:
         with:
           go-version: '1.20'
       - name: Download Syft
-        uses: anchore/sbom-action/download-syft@v0.13.4
+        uses: anchore/sbom-action/download-syft@448520c4f19577ffce70a8317e619089054687e3 # v0.13.4
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4
         with: