diff --git a/.github/workflows/trunk.yml b/.github/workflows/trunk.yml
index 99d52c1e9e9e686f2697cda240a68a6cc1bf64f6..7e5243ac2cdb1bc641970de61886c4ebbb42a056 100644
--- a/.github/workflows/trunk.yml
+++ b/.github/workflows/trunk.yml
@@ -51,7 +51,7 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
diff --git a/nix/checks/pinact.nix b/nix/checks/pinact.nix
index c032bc9fc927622bc1a2f13d52cf2cad33e0e3d2..109bd14f839812a694c275d4ced4f0fe4d5b3e3d 100644
--- a/nix/checks/pinact.nix
+++ b/nix/checks/pinact.nix
@@ -1,7 +1,12 @@
 { pkgs, src }:
 
-pkgs.writeShellApplication {
-  name = "pinact";
-  runtimeInputs = with pkgs; [ pinact ];
-  text = "pinact run --check --verify";
-}
+pkgs.runCommand "pinact"
+  {
+    inherit src;
+    nativeBuildInputs = with pkgs; [ pinact ];
+  }
+  ''
+    cd "$src"
+    pinact run --check --verify
+    touch "$out"
+  ''