diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b1e8b0a..89f890c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,3 +15,6 @@ updates:
   - dependencies
   - gha
   - pinned
+  groups:
+    all-actions:
+      patterns: ["*"]
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8727635..7580c45 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -104,11 +104,12 @@ jobs:
 
 
     - name: Configure Fast APT Mirror
-      uses: vegardit/fast-apt-mirror.sh@v1
+      uses: vegardit/fast-apt-mirror.sh@e5288ed7a13da650050035a7d47c2aa17779bbb3 # v1.4.1
 
 
     - name: Git Checkout
-      uses: actions/checkout@v6  # https://github.com/actions/checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
+      # https://github.com/actions/checkout
 
 
     - name: "Install: Chromium Browser"
@@ -122,7 +123,7 @@ jobs:
 
 
     - name: "Install: Python and PDM"  # https://github.com/pdm-project/setup-pdm
-      uses: pdm-project/setup-pdm@v4
+      uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
       with:
         python-version: "${{ matrix.PYTHON_VERSION }}"
         cache: ${{ !startsWith(matrix.os, 'macos') }}  # https://github.com/pdm-project/setup-pdm/issues/55
@@ -246,7 +247,7 @@ jobs:
 
 
     - name: Upload self-contained executable
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       if: (github.ref_name == 'main' || github.ref_name == 'release') && matrix.PUBLISH_RELEASE && !env.ACT
       with:
         name: artifacts-${{ matrix.os }}
@@ -276,7 +277,7 @@ jobs:
 
 
     - name: Collect coverage reports
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !env.ACT
       with:
         name: coverage-${{ matrix.os }}-py${{ matrix.PYTHON_VERSION }}
@@ -293,13 +294,17 @@ jobs:
     timeout-minutes: 5
     if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !github.event.act
 
+    permissions:
+      contents: read
+
     steps:
     - name: Git Checkout # required to avoid https://docs.codecov.com/docs/error-reference#unusable-reports
-      uses: actions/checkout@v6  # https://github.com/actions/checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
+      # https://github.com/actions/checkout
 
 
     - name: Download coverage reports
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: coverage-*
         path: coverage
@@ -310,7 +315,8 @@ jobs:
 
 
     - name: Publish unit-test coverage
-      uses: codecov/codecov-action@v5  # https://github.com/codecov/codecov-action
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0
+      # https://github.com/codecov/codecov-action
       with:
         slug: ${{ github.repository }}
         name: unit-coverage
@@ -322,7 +328,8 @@ jobs:
 
 
     - name: Publish integration-test coverage
-      uses: codecov/codecov-action@v5  # https://github.com/codecov/codecov-action
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0
+      # https://github.com/codecov/codecov-action
       with:
         slug: ${{ github.repository }}
         name: integration-coverage
@@ -334,7 +341,8 @@ jobs:
 
 
     - name: Publish smoke-test coverage
-      uses: codecov/codecov-action@v5  # https://github.com/codecov/codecov-action
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0
+      # https://github.com/codecov/codecov-action
       with:
         slug: ${{ github.repository }}
         name: smoke-coverage
@@ -379,17 +387,18 @@ jobs:
 
 
     - name: Configure Fast APT Mirror
-      uses: vegardit/fast-apt-mirror.sh@v1
+      uses: vegardit/fast-apt-mirror.sh@e5288ed7a13da650050035a7d47c2aa17779bbb3 # v1.4.1
 
 
     - name: Git Checkout
       # only required by "gh release create" to prevent "fatal: Not a git repository"
-      uses: actions/checkout@v6  # https://github.com/actions/checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
+      # https://github.com/actions/checkout
 
 
     - name: Delete untagged docker image
       continue-on-error: true
-      uses: actions/delete-package-versions@v5
+      uses: actions/delete-package-versions@25ad4af5be03aef10e0b3376b248688b7a44c40b # v5.0.0
       with:
         token: ${{ github.token }}
         delete-only-untagged-versions: true
@@ -398,7 +407,7 @@ jobs:
 
 
     - name: Download build artifacts
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
 
 
     - name: Rename build artifacts
@@ -482,7 +491,8 @@ jobs:
 
 
     - name: "Delete intermediate build artifacts"
-      uses: geekyeggo/delete-artifact@v5  # https://github.com/GeekyEggo/delete-artifact/
+      uses: geekyeggo/delete-artifact@b54d29a59e55046d1f7fc8226cdda507e6b9cf62 # v5.0.0
+      # https://github.com/GeekyEggo/delete-artifact/
       with:
         name: "*"
         failOnError: false
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7258871..9fbbc70 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -67,11 +67,12 @@ jobs:
 
 
     - name: Git Checkout
-      uses: actions/checkout@v6  # https://github.com/actions/checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
+      # https://github.com/actions/checkout
 
 
     - name: "Install: Python and PDM"  # https://github.com/pdm-project/setup-pdm
-      uses: pdm-project/setup-pdm@v4
+      uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
       with:
         python-version: "${{ env.PYTHON_VERSION }}"
         cache: true
@@ -91,7 +92,8 @@ jobs:
 
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4  # https://github.com/github/codeql-action/blob/main/init/action.yml
+      uses: github/codeql-action/init@36a9c375704a9813bd709881c97694bcd24e1cb1 # v4.0.0
+      # https://github.com/github/codeql-action/blob/main/init/action.yml
       with:
         languages: actions,python
         # https://github.com/github/codeql-action#build-modes
@@ -100,4 +102,5 @@ jobs:
         queries: security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4  # https://github.com/github/codeql-action
+      uses: github/codeql-action/analyze@36a9c375704a9813bd709881c97694bcd24e1cb1 # v4.0.0
+      # https://github.com/github/codeql-action
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 13afe67..677d6f5 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -38,7 +38,8 @@ jobs:
 
 
     - name: Generate GitHub Access Token
-      uses: tibdex/github-app-token@v2  # https://github.com/tibdex/github-app-token
+      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+      # https://github.com/tibdex/github-app-token
       id: generate_token
       # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
       with:
@@ -48,7 +49,8 @@ jobs:
 
 
     - name: Git Checkout
-      uses: actions/checkout@v5  # https://github.com/actions/checkout
+      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.0
+      # https://github.com/actions/checkout
       with:
         token: ${{ steps.generate_token.outputs.token }}
         ref: main
diff --git a/.github/workflows/update-python-deps.yml b/.github/workflows/update-python-deps.yml
index 94f7f24..bd6df91 100644
--- a/.github/workflows/update-python-deps.yml
+++ b/.github/workflows/update-python-deps.yml
@@ -19,6 +19,10 @@ defaults:
 env:
   PYTHON_VERSION: "3.10"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
 
   ###########################################################
@@ -39,7 +43,8 @@ jobs:
 
 
     - name: Generate GitHub Access Token
-      uses: tibdex/github-app-token@v2  # https://github.com/tibdex/github-app-token
+      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+      # https://github.com/tibdex/github-app-token
       id: generate_token
       # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
       with:
@@ -49,13 +54,14 @@ jobs:
 
 
     - name: Git Checkout
-      uses: actions/checkout@v6  # https://github.com/actions/checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
+      # https://github.com/actions/checkout
       with:
         token: ${{ steps.generate_token.outputs.token }}
 
 
     - name: "Install: Python and PDM"  # https://github.com/pdm-project/setup-pdm
-      uses: pdm-project/setup-pdm@v4
+      uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4
       with:
         python-version: "${{ env.PYTHON_VERSION }}"
         cache: true
@@ -101,7 +107,8 @@ jobs:
 
 
     - name: Create PR
-      uses: peter-evans/create-pull-request@v7  # https://github.com/peter-evans/create-pull-request
+      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.5
+      # https://github.com/peter-evans/create-pull-request
       if: "${{ steps.update_deps.outputs.updates != '' }}"
       with:
         title: "chore: ${{ steps.update_deps.outputs.title }}"
diff --git a/.github/workflows/validate-pr-title.yml b/.github/workflows/validate-pr-title.yml
index b9bf5d9..6111529 100644
--- a/.github/workflows/validate-pr-title.yml
+++ b/.github/workflows/validate-pr-title.yml
@@ -17,7 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Validate semantic PR title"
-        uses: amannn/action-semantic-pull-request@v6 # https://github.com/amannn/action-semantic-pull-request
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.0.0
+        # https://github.com/amannn/action-semantic-pull-request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -42,6 +43,7 @@ jobs:
           requireScope: false
 
       - name: "Label PR"
-        uses: srvaroa/labeler@v1.13.0 # https://github.com/srvaroa/labeler
+        uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0
+        # https://github.com/srvaroa/labeler
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/src/kleinanzeigen_bot/utils/reflect.py b/src/kleinanzeigen_bot/utils/reflect.py
index fa9aa78..f0b82fc 100644
--- a/src/kleinanzeigen_bot/utils/reflect.py
+++ b/src/kleinanzeigen_bot/utils/reflect.py
@@ -13,7 +13,12 @@ def get_caller(depth:int = 1) -> inspect.FrameInfo | None:
                 return frame
         return None
     finally:
-        del stack  # Clean up the stack to avoid reference cycles
+        # Explicitly delete stack frames to prevent reference cycles and potential memory leaks.
+        # inspect.stack() returns FrameInfo objects that contain references to frame objects,
+        # which can create circular references. While Python's GC handles this, explicit cleanup
+        # is recommended per Python docs: https://docs.python.org/3/library/inspect.html#the-interpreter-stack
+        # codeql[py/unnecessary-delete]
+        del stack
 
 
 def is_integer(obj:Any) -> bool: