diff --git a/.github/workflows/maven-workflow-run.yml b/.github/workflows/maven-workflow-run.yml
index b240e8a..45a6923 100644
--- a/.github/workflows/maven-workflow-run.yml
+++ b/.github/workflows/maven-workflow-run.yml
@@ -10,6 +10,11 @@ on:
         description: 'The full commit id to build'
         required: true
 
+# Least-privilege default token. Only the check-status steps need checks: write.
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   comment-run:
     runs-on: ${{ matrix.os }}
@@ -20,12 +25,18 @@ jobs:
         java: [ '8', '11', '17' ]
         os: [ 'macos-latest', 'windows-latest', 'ubuntu-latest' ]
     name: Java-selenium Repo ${{ matrix.Java }} - ${{ matrix.os }} Sample
-    env:
-      BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
-      BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Validate commit_sha input
+        env:
+          COMMIT_SHA: ${{ github.event.inputs.commit_sha }}
+        shell: bash
+        run: |
+          if [[ ! "$COMMIT_SHA" =~ ^[0-9a-fA-F]{40}$ ]]; then
+            echo "::error::commit_sha must be a full 40-character hex commit id"
+            exit 1
+          fi
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           ref: ${{ github.event.inputs.commit_sha }}
       - uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
@@ -48,19 +59,28 @@ jobs:
               console.log('Failed to create check run')
             }
       - name: Set up Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
       - name: Run mvn test
+        env:
+          BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
+          BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
         run: |
           mvn compile
           mvn test
       - name: Run mvn profile sample-local-test
+        env:
+          BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
+          BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
         run: |
           mvn compile
           mvn test -P sample-local-test
       - name: Run mvn profile sample-test
+        env:
+          BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
+          BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
         run: |
           mvn compile
           mvn test -P sample-test
diff --git a/pom.xml b/pom.xml
index 9974a1c..66f06ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,6 +18,7 @@
         <surefire.version>2.19.1</surefire.version>
         <selenium.version>4.1.4</selenium.version>
         <json-simple.version>1.1.1</json-simple.version>
+        <browserstack-java-sdk.version>1.60.2</browserstack-java-sdk.version>
         <config.file>config/sample-local-test.testng.xml</config.file>
     </properties>
 
@@ -35,7 +36,7 @@
         <dependency>
             <groupId>com.browserstack</groupId>
             <artifactId>browserstack-java-sdk</artifactId>
-            <version>LATEST</version>
+            <version>${browserstack-java-sdk.version}</version>
             <scope>compile</scope>
         </dependency>
     </dependencies>