diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
index be7c0ad..25cdd1b 100644
--- a/.clusterfuzzlite/Dockerfile
+++ b/.clusterfuzzlite/Dockerfile
@@ -1,4 +1,4 @@
-FROM gcr.io/oss-fuzz-base/base-builder-rust
+FROM gcr.io/oss-fuzz-base/base-builder-rust@sha256:c0f40c4bfbcdfff147e0b8b6f1b1026d5d5144865e514261ad05560b38e6270e
 
 COPY . $SRC/kingfisher
 COPY .clusterfuzzlite/build.sh $SRC/build.sh
diff --git a/.github/requirements/pypi-build.txt b/.github/requirements/pypi-build.txt
new file mode 100644
index 0000000..faebe88
--- /dev/null
+++ b/.github/requirements/pypi-build.txt
@@ -0,0 +1,7 @@
+build==1.4.0 \
+    --hash=sha256:6a07c1b8eb6f2b311b96fcbdbce5dab5fe637ffda0fd83c9cac622e927501596 \
+    --hash=sha256:f1b91b925aa322be454f8330c6fb48b465da993d1e7e7e6fa35027ec49f3c936
+packaging==26.0 \
+    --hash=sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529
+pyproject_hooks==1.2.0 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index e429d77..d736380 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -1,13 +1,12 @@
 name: pypi-wheels
 
 on:
-  workflow_run:
-    workflows: ["Publish Docker image"]
-    types: [completed]
+  release:
+    types: [published]
   workflow_dispatch:
     inputs:
       tag:
-        description: "Release tag to package (e.g., v1.2.3). Leave blank to use Cargo.toml."
+        description: "Release tag to package (e.g., v1.2.3). Leave blank to use the latest release."
         required: false
         type: string
 
@@ -16,31 +15,26 @@ permissions: {}
 jobs:
   build-wheels:
     name: Build PyPI wheels
-    if: >
-      github.event_name != 'workflow_run' ||
-      github.event.workflow_run.conclusion == 'success' ||
-      github.run_attempt > 1
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
-
       - name: Determine version/tag
         id: version
         shell: bash
         env:
           INPUT_TAG: ${{ github.event.inputs.tag || '' }}
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
-          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
+          if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
+            TAG="${RELEASE_TAG_NAME}"
+          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
             TAG="${INPUT_TAG}"
           else
-            VERSION=$(grep -m1 '^version\s*=' Cargo.toml | cut -d '"' -f2)
-            TAG="v${VERSION}"
+            TAG=$(gh release view --json tagName --jq .tagName)
           fi
           if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
             echo "Invalid tag format: ${TAG}" >&2
@@ -50,6 +44,10 @@ jobs:
           echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
 
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ steps.version.outputs.tag }}
+
       - name: Download release assets
         env:
           GH_TOKEN: ${{ github.token }}
@@ -89,7 +87,7 @@ jobs:
           done
 
       - name: Install build tooling
-        run: python -m pip install --upgrade build
+        run: python -m pip install --upgrade --require-hashes -r .github/requirements/pypi-build.txt
 
       - name: Build wheels
         shell: bash
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 1657506..3b84799 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -9,14 +9,7 @@ on:
   release:
     types: [published]
 
-  # 2️⃣  Option 2: run every time the build-and-release workflow
-  #     completes successfully on the main branch
-  workflow_run:
-    workflows: ["build-and-release"]
-    types: [completed]
-    branches: [main]
-
-  # 3️⃣  Manual: “Run workflow” button or `gh workflow run`
+  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
   workflow_dispatch:
     inputs:
       tag:
@@ -32,25 +25,9 @@ permissions:
 ###############################################################################
 jobs:
   build-and-push:
-    # Run if:
-    # - event is NOT workflow_run (release, workflow_dispatch)
-    # - OR workflow_run completed successfully
-    # - OR this is a re-run (run_attempt > 1) so we force it to run
-    if: >
-      github.event_name != 'workflow_run' ||
-      github.event.workflow_run.conclusion == 'success' ||
-      github.run_attempt > 1
     runs-on: ubuntu-latest
 
     steps:
-    # -----------------------------------------------------------------------
-    # Check out the exact commit that produced the artifacts (workflow_run),
-    # otherwise just use the SHA tied to the release / manual dispatch.
-    # -----------------------------------------------------------------------
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
-
     # -----------------------------------------------------------------------
     # Decide which tag we’re going to publish
     # -----------------------------------------------------------------------
@@ -66,10 +43,10 @@ jobs:
         set -euo pipefail
         if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
           RAW_TAG="${RELEASE_TAG_NAME}"
-        elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${MANUAL_TAG}" ]]; then
+        elif [[ -n "${MANUAL_TAG}" ]]; then
           RAW_TAG="${MANUAL_TAG}"
         else
-          # workflow_run (or manual w/o tag) → ask GitHub API for latest release tag
+          # manual w/o tag → ask GitHub API for latest release tag
           RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
                    "https://api.github.com/repos/${{ github.repository }}/releases/latest" \
                    | jq -r .tag_name)
@@ -80,6 +57,10 @@ jobs:
         echo "Selected tag: ${TAG}"
         echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"
 
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: v${{ steps.tag.outputs.tag }}
+
     # -----------------------------------------------------------------------
     # Build & push
     # -----------------------------------------------------------------------
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 54f0959..ee70fbc 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM alpine:latest
+FROM alpine:latest@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 
 RUN apk add --no-cache curl tar git