diff --git a/Makefile b/Makefile
index cd8ee7b4..869ee8cd 100644
--- a/Makefile
+++ b/Makefile
@@ -73,12 +73,14 @@ golangci_lint_config := .golangci.yaml # For `make generate-golangci-lint-config
 # - tools: allows us to download crane
 # - generate-verify: to allow renovate to run make generate after updating the `go.mod` files in this repo.
 # - go: so that make go-tidy is triggered by make generate.
+# - gh-workflows: so that also this module can benefit from generic reusable workflows and ensure actions are pinned correctly.
 #
 # Module files must be included in number order (00,01,02) to satisfy the
 # dependencies between them.
 include modules/tools/00_mod.mk
 include modules/generate-verify/00_mod.mk
 include modules/go/01_mod.mk
+include modules/gh-workflows/01_mod.mk
 include modules/generate-verify/02_mod.mk
 
 ## Upgrade targets
diff --git a/modules/gh-workflows/01_mod.mk b/modules/gh-workflows/01_mod.mk
new file mode 100644
index 00000000..b6f53326
--- /dev/null
+++ b/modules/gh-workflows/01_mod.mk
@@ -0,0 +1,27 @@
+# Copyright 2026 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.PHONY: verify-pinact
+## Verify all actions have pinned digests with matching version comment
+## @category [shared] Generate/ Verify
+verify-pinact: | $(NEEDS_PINACT)
+	$(PINACT) run --check --verify-comment
+
+shared_verify_targets += verify-pinact
+
+.PHONY: fix-pinact
+## Fix all actions have pinned digests with matching version comment
+## @category [shared] Generate/ Verify
+fix-pinact: | $(NEEDS_PINACT)
+	$(PINACT) run --fix --verify-comment
diff --git a/modules/tools/00_mod.mk b/modules/tools/00_mod.mk
index 5eda7fd4..6ca5f882 100644
--- a/modules/tools/00_mod.mk
+++ b/modules/tools/00_mod.mk
@@ -200,6 +200,9 @@ tools += yamlfmt=v0.21.0
 # https://github.com/yannh/kubeconform/releases
 # renovate: datasource=github-releases packageName=yannh/kubeconform
 tools += kubeconform=v0.8.0
+# https://github.com/suzuki-shunsuke/pinact/releases
+# renovate: datasource=github-releases packageName=suzuki-shunsuke/pinact
+tools += pinact=v4.1.0
 
 # FIXME(erikgb): cert-manager needs the ability to override the version set here
 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions
@@ -431,6 +434,7 @@ go_dependencies += gh=github.com/cli/cli/v2/cmd/gh
 go_dependencies += gci=github.com/daixiang0/gci
 go_dependencies += yamlfmt=github.com/google/yamlfmt/cmd/yamlfmt
 go_dependencies += kubeconform=github.com/yannh/kubeconform/cmd/kubeconform
+go_dependencies += pinact=github.com/suzuki-shunsuke/pinact/v4/cmd/pinact
 
 #################
 # go build tags #