diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml
index 318842c15..7553ee6be 100644
--- a/.github/workflows/galaxy.yml
+++ b/.github/workflows/galaxy.yml
@@ -1,25 +1,25 @@
 ---
-name: Ansible Galaxy import
+name: Ansible Galaxy Role Import
 on:
   release:
-    types:
-      - published
+    types: [published]
   workflow_dispatch:
+permissions: read-all
 jobs:
-  galaxy:
-    name: Galaxy
-    runs-on: ubuntu-22.04
+  ansible-galaxy:
+    name: Import role to Ansible Galaxy
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.x
 
-      - name: Install Ansible
+      - name: Install Ansible core
         run: pip3 install -r .github/workflows/requirements/requirements_galaxy.txt
 
-      - name: Import release to Ansible Galaxy
+      - name: Import role releases to Ansible Galaxy
         run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
index 177218486..1fc6a3812 100644
--- a/.github/workflows/molecule.yml
+++ b/.github/workflows/molecule.yml
@@ -2,33 +2,31 @@
 name: Molecule CI/CD
 on:
   pull_request:
-    branches:
-      - main
+    branches: [main]
   push:
-    branches:
-      - main
-    tags-ignore:
-      - "**"
+    branches: [main]
+    tags-ignore: ["**"]
   schedule:
     - cron: "0 0 1 * *"
   workflow_dispatch:
+permissions: read-all
 jobs:
   ansible-lint:
     name: Ansible Lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.x
 
-      - name: Install Ansible Lint
+      - name: Install Ansible core and Ansible Lint
         run: pip3 install -r .github/workflows/requirements/requirements_ansible_lint.txt
 
-      - name: Install Ansible collection dependencies
+      - name: Install Ansible core collection dependencies
         run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml
 
       - name: Run Ansible Lint
@@ -36,7 +34,7 @@ jobs:
 
   molecule:
     name: Molecule
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: ansible-lint
     env:
       AGENT_DATA_PLANE_KEY: ${{ secrets.AGENT_DATA_PLANE_KEY }}
@@ -69,7 +67,7 @@ jobs:
     steps:
       - name: Check out the codebase
         if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # - name: Set up Docker QEMU
       #   if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
@@ -79,11 +77,11 @@ jobs:
 
       - name: Set up Python 3
         if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.x
 
-      - name: Install Molecule dependencies
+      - name: Install Ansible core and Molecule
         if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
         run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt
 
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
deleted file mode 100644
index a533a4b52..000000000
--- a/.github/workflows/release-drafter.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-name: Release Drafter
-on:
-  pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-jobs:
-  update_release_draft:
-    name: Update release draft
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: release-drafter/release-drafter@v6
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000..6eea2a3d1
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,20 @@
+---
+  name: Release Drafter
+  on:
+    push:
+      branches: [main]
+    pull_request_target:
+      types: [opened, reopened, synchronize]
+  permissions: read-all
+  jobs:
+    release-draft:
+      name: Update release draft
+      runs-on: ubuntu-24.04
+      permissions:
+        contents: write
+        pull-requests: write
+      steps:
+        - name: Run release drafter
+          uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+          env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a252fd001..85af3d6b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,11 @@ FEATURES:
 
 - Add support for installing NGINX Open Source on Alpine Linux 3.20.
 
+CI/CD:
+
+- Update GitHub Actions to Ubuntu 24.04.
+- Switch GitHub Actions from using tags to release hashes.
+
 ## 0.24.3 (July 11, 2024)
 
 DEPRECATION WARNINGS: