diff --git a/.github/actions/cancel-stack/action.yml b/.github/actions/cancel-stack/action.yml
index e601b4ba..5256b493 100644
--- a/.github/actions/cancel-stack/action.yml
+++ b/.github/actions/cancel-stack/action.yml
@@ -71,7 +71,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'cancel-stack'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/.github/actions/deploy-client-stack/action.yml b/.github/actions/deploy-client-stack/action.yml
index 534006b9..b435f2dd 100644
--- a/.github/actions/deploy-client-stack/action.yml
+++ b/.github/actions/deploy-client-stack/action.yml
@@ -69,7 +69,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'deploy-client-stack'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/.github/actions/destroy/action.yml b/.github/actions/destroy/action.yml
index ef28e893..8fadc740 100644
--- a/.github/actions/destroy/action.yml
+++ b/.github/actions/destroy/action.yml
@@ -72,7 +72,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'destroy'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/.github/actions/provision-parent-stack/action.yml b/.github/actions/provision-parent-stack/action.yml
index 7e3e5ec3..9042038f 100644
--- a/.github/actions/provision-parent-stack/action.yml
+++ b/.github/actions/provision-parent-stack/action.yml
@@ -62,7 +62,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'provision-parent-stack'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/welder.yaml b/welder.yaml
index c0023016..2b805960 100644
--- a/welder.yaml
+++ b/welder.yaml
@@ -272,6 +272,12 @@ tasks:
   tag-release:
     runOn: host
     script:
+      # Pin the github-actions runtime image to this exact release version in
+      # every composite action, so consumers pinning the action git ref get a
+      # reproducible image instead of floating :staging. Mirrors branch-preview.yaml.
+      - find .github/actions -name action.yml -exec sed -i "s|docker://simplecontainer/github-actions:staging|docker://simplecontainer/github-actions:${project:version}|g" {} +
+      - git add .github/actions/*/action.yml
+      - git commit -m "chore(release): pin github-actions image to ${project:version}" || echo "github-actions image tags already pinned"
       - git tag ${project:version} || echo "Already set tag ${project:version}"
       - git push -f origin ${project:version} || echo "Tag ${project:version} already exists in origin"
   build-docs: