diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1a9959cf44..40aa092bfd 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,6 +25,35 @@ jobs:
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: build
         run: |
+          if [ "${{ matrix.compiler }}" = "gcc" ]; then
+            if [ "${{ matrix.buildtype }}" = "release" ]; then
+              if [ "${{ matrix.distro }}" = "tumbleweed" ]; then
+                export CFLAGS="-O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
+                  -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables \
+                  -fstack-clash-protection -Werror=return-type -flto=auto -g"
+                export CXXFLAGS="$CFLAGS"
+                export LDFLAGS="-flto=auto"
+              # TODO: The RH build depends on environment varibles/settings which prevent
+              # the compiler from working.
+              #
+              # elif [ "${{ matrix.distro }}" = "fedora" ]; then
+              #   export CFLAGS="-O2 -flto=auto -ffat-lto-objects -fexceptions -g \
+              #     -grecord-gcc-switches -pipe -Wall -Werror=format-security \
+              #     -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS \
+              #     -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong \
+              #     -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic \
+              #     -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables \
+              #     -fstack-clash-protection"
+              #   export CXXFLAGS="$CFLAGS"
+              #   export LDFLAGS='-Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs \
+              #     -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld \
+              #     -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors \
+              #     -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 \
+              #     -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes'
+              fi
+            fi
+          fi
+
           scripts/build.sh -b ${{ matrix.buildtype }} -c ${{ matrix.compiler }} -x
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: upload logs
@@ -144,7 +173,7 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/debian:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Mark repo as safe for git
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: build
@@ -157,7 +186,7 @@ jobs:
     container:
       image: ghcr.io/linux-nvme/alpine:latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Mark repo as safe for git
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: build
diff --git a/.github/workflows/libnvme-cleanup-python.yml b/.github/workflows/libnvme-cleanup-python.yml
index 327d25e401..036677f0eb 100644
--- a/.github/workflows/libnvme-cleanup-python.yml
+++ b/.github/workflows/libnvme-cleanup-python.yml
@@ -19,7 +19,7 @@ jobs:
     environment: pypi
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install pypi-cleanup
         run: pip install pypi-cleanup