diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ebe6efd..4597ee9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,21 +3,31 @@ on:
   push:
   pull_request_target:
     types: [labeled]
+
+env:
+  JAVA_VERSION: 25
+
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # OIDC token for the attestations step
+      attestations: write # Required for the attestations step
+    outputs:
+      sha256: ${{ steps.checksums.outputs.sha256 }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          fetch-depth: 0
-      - uses: actions/setup-java@v4
+          fetch-depth: 0 # deep fetch for better sonarcloud analysis
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
-          java-version: 23
           distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -26,9 +36,8 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
-        id: buildAndTest
         run: >
-          ./mvnw -B verify
+          ./mvnw -B verify --no-transfer-progress
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
           -Pcoverage
@@ -38,14 +47,121 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/upload-artifact@v4
+      - name: Calculate Checksums
+        id: checksums
+        run: |
+          {
+            echo 'sha256<<EOF'
+            shasum -a256 target/*.jar
+            echo EOF
+          } >> $GITHUB_OUTPUT
+      - name: Attest
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        with:
+          subject-path: |
+            target/*.jar
+            target/*.pom
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: artifacts
           path: target/*.jar
-      - name: Create Release
-        uses: softprops/action-gh-release@v2
+
+  deploy-central:
+    name: Deploy to Maven Central
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # OIDC token for sigstore signing
+      contents: read # Required for sigstore signing
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+          server-id: central
+          server-username: MAVEN_CENTRAL_USERNAME
+          server-password: MAVEN_CENTRAL_PASSWORD
+      - name: Enforce to use tagged version 
         if: startsWith(github.ref, 'refs/tags/')
+        run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
+      - name: Verify project version is -SNAPSHOT
+        if: startsWith(github.ref, 'refs/tags/') == false
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
+      - name: Deploy to Maven Central
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
+        env:
+          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  deploy-github:
+    name: Deploy to GitHub Packages
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required for the deploy to GitHub Packages step
+      id-token: write # OIDC token for sigstore signing
+      contents: read # Required for sigstore signing
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Enforce to use tagged version 
+        if: startsWith(github.ref, 'refs/tags/')
+        run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
+      - name: Verify project version is -SNAPSHOT
+        if: startsWith(github.ref, 'refs/tags/') == false
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
+      - name: Deploy to GitHub Packages
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required for the release step
+    needs: [build, deploy-central, deploy-github]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Create Release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           prerelease: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           generate_release_notes: true
+          body: |-
+            ### Changelog
+            For a list of all notable changes, read the [changelog](/CHANGELOG.md).
+            
+            ### Maven Coordinates
+            ```xml
+              <dependency>
+                <groupId>org.cryptomator</groupId>
+                <artifactId>cryptolib</artifactId>
+                <version>${{ github.ref_name }}</version>
+              </dependency>
+            ```
+
+            ### Artifact Checksums
+            ```txt
+            ${{ needs.build.outputs.sha256 }}
+            ```
\ No newline at end of file
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a1f3be1..fcb0fb7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,19 +14,20 @@ jobs:
     name: Analyse
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         fetch-depth: 2
-    - uses: actions/setup-java@v4
+        show-progress: false
+    - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
       with:
-        java-version: 23
+        java-version: 25
         distribution: 'temurin'
         cache: 'maven'
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
       with:
         languages: java
     - name: Build and Test
       run: ./mvnw -B install -DskipTests
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
\ No newline at end of file
+      uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
\ No newline at end of file
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
index 624bea2..a90b656 100644
--- a/.github/workflows/dependency-check.yml
+++ b/.github/workflows/dependency-check.yml
@@ -10,11 +10,11 @@ on:
 
 jobs:
   check-dependencies:
-    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v3
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@1074588008ae3326a2221ea451783280518f0366 # v3.0.1
     with:
       runner-os: 'ubuntu-latest'
       java-distribution: 'temurin'
-      java-version: 23
+      java-version: 25
     secrets:
       nvd-api-key: ${{ secrets.NVD_API_KEY }}
       ossindex-username: ${{ secrets.OSSINDEX_USERNAME }}
diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml
deleted file mode 100644
index fbb1820..0000000
--- a/.github/workflows/publish-central.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-name: Publish to Maven Central
-on:
-  release:
-    types: [published]
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
-        with:
-          java-version: 23
-          distribution: 'temurin'
-          cache: 'maven'
-          server-id: central
-          server-username: MAVEN_CENTRAL_USERNAME
-          server-password: MAVEN_CENTRAL_PASSWORD
-      - name: Enforce project version ${{ github.event.release.tag_name }}
-        run: ./mvnw versions:set -B -DnewVersion="$GIT_TAG"
-        env:
-          GIT_TAG: ${{ github.event.release.tag_name }}
-      - name: Deploy
-        run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
-        env:
-          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
-          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
-          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
-          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml
deleted file mode 100644
index 51a604d..0000000
--- a/.github/workflows/publish-github.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Publish to GitHub Packages
-on:
-  release:
-    types: [published]
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
-        with:
-          java-version: 23
-          distribution: 'temurin'
-          cache: 'maven'
-      - name: Enforce project version ${{ github.event.release.tag_name }}
-        run: ./mvnw versions:set -B -DnewVersion=${{ github.event.release.tag_name }}
-      - name: Deploy
-        run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
-          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
-          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 292a0f9..4db04e7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,4 +11,7 @@ Changes to prior versions can be found on the [Github release page](https://gith
 
 ### Added
 - Changelog file
-- Maven wrapper script ([#103](https://github.com/cryptomator/cryptolib/pull/103))
\ No newline at end of file
+- Maven wrapper script ([#103](https://github.com/cryptomator/cryptolib/pull/103))
+
+### Changed
+- Pin CI actions
\ No newline at end of file