diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7a968a8..e825220 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
   directory: "/"
   schedule:
     interval: monthly
+  assignees:
+    - "dalito"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a1de905..a30aacc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,9 +31,9 @@ jobs:
         - '3.12'
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -48,9 +48,9 @@ jobs:
         python -m coverage run -p -m pytest
 
     - name: Upload coverage data
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
       with:
-        name: coverage-data
+        name: coverage-data-${{ matrix.python-version }}
         path: .coverage.*
 
   coverage:
@@ -58,19 +58,20 @@ jobs:
     needs: tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
-          python-version: '3.11'
+          python-version: '3.12'
 
       - name: Install dependencies
         run: python -m pip install --upgrade coverage[toml]
 
       - name: Download data
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
         with:
-          name: coverage-data
+          pattern: coverage-data-*
+          merge-multiple: true
 
       - name: Combine coverage, create reports and fail if less than threshold.
         run: |
@@ -85,7 +86,7 @@ jobs:
 
       - name: Upload HTML report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
         with:
           name: html-report
           path: .htmlcov
diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
index 930d33f..4c5bd15 100644
--- a/.github/workflows/pypi-publish.yml
+++ b/.github/workflows/pypi-publish.yml
@@ -1,7 +1,7 @@
 name: Publish Python Package
 # Publishes to
-# - PyPI on releases created in GitHub UI
 # - TestPyPI on new tags "v1.2.3" or "v1.2.3.something" on main branch
+# - PyPI on releases created in GitHub UI
 
 on:
   push:
@@ -15,14 +15,16 @@ on:
 jobs:
   build:
     name: Build Python 🐍 distributions 📦 for publishing
+    # Don't try to publish from forks
+    if: github.repository == 'nfid4cat/voc4cat-tool'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
-          python-version: 3.11
+          python-version: 3.12
 
       - name: Install hatch
         run: pipx install hatch
@@ -31,13 +33,13 @@ jobs:
         run: hatch build
 
       - name: Store built distribution
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
         with:
           name: distribution-files
           path: dist/
 
   pypi-publish:
-    name: Build and publish Python 🐍 distributions 📦 to PyPI and TestPyPI
+    name: Build and publish Python 🐍 package 📦 to PyPI and TestPyPI
     needs: build
     runs-on: ubuntu-latest
     environment:
@@ -47,21 +49,25 @@ jobs:
       id-token: write  # this permission is mandatory for trusted publishing
     steps:
       - name: Download built distribution
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
         with:
           name: distribution-files
           path: dist
 
-      # version pinned by dependabot of action [2]
-      - name: Publish distribution 📦 to Test PyPI
+      - name: Publish package 📦 to Test PyPI
         if: github.event_name == 'push'
         uses: pypa/gh-action-pypi-publish@8a08d616893759ef8e1aa1f2785787c0b97e20d6
         with:
           repository-url: https://test.pypi.org/legacy/
 
-      - name: Publish distribution 📦 to PyPI
+      - name: Publish package 📦 to PyPI
         if: github.event_name == 'release'
         uses: pypa/gh-action-pypi-publish@8a08d616893759ef8e1aa1f2785787c0b97e20d6
 
 # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
-# [2] https://github.com/pypa/gh-action-pypi-publish/
+# Used actions: (updates managed by dependabot)
+# - https://github.com/actions/checkout
+# - https://github.com/actions/setup-python
+# - https://github.com/actions/upload-artifact
+# - https://github.com/actions/download-artifact
+# - https://github.com/pypa/gh-action-pypi-publish/