diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 00000000..daea9469
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,3 @@
+self-hosted-runner:
+  labels:
+    - self-hosted-hoprnet-small
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 35fc78a6..f7e83151 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -22,7 +22,7 @@ jobs:
     permissions:
       pull-requests: read
     steps:
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/flake.lock b/flake.lock
index 4739c73c..910f9c83 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -18,24 +34,70 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1774273680,
-        "narHash": "sha256-a++tZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA=",
+        "lastModified": 1781509190,
+        "narHash": "sha256-uJZs9Di8I6ciTp6jiojj0HzlNpBkud8ax5aT/O5aJkw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fdc7b8f7b30fdbedec91b71ed82f36e1637483ed",
+        "rev": "d6df3513510aa548c83868fd22bfddd0a8c0a0d4",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1778507602,
+        "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
       }
     },
     "root": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "pre-commit": "pre-commit"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index d1d32568..4d4fa588 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,51 +3,98 @@
 
   inputs = {
     flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    pre-commit.url = "github:cachix/git-hooks.nix";
+    pre-commit.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, flake-utils}:
-    flake-utils.lib.eachDefaultSystem
-      (system:
-        let
-          pkgs = nixpkgs.legacyPackages.${system};
-          pkgsLinux = nixpkgs.legacyPackages."x86_64-linux";
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      pre-commit,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+        pkgsLinux = nixpkgs.legacyPackages."x86_64-linux";
 
-          dockerBuild = pkgs.writeShellApplication {
-              name = "dockerBuild";
-              runtimeInputs = [
-                pkgs.docker
-                pkgs.coreutils
-              ];
-              text = ''
-                #!/usr/bin/env bash
-                set -euo pipefail
+        dockerBuild = pkgs.writeShellApplication {
+          name = "dockerBuild";
+          runtimeInputs = [
+            pkgs.docker_29
+            pkgs.coreutils
+          ];
+          text = ''
+            #!/usr/bin/env bash
+            set -euo pipefail
 
-                echo "[+] Building: hopr-admin:latest"
-                docker build --platform linux/amd64 -t hopr-admin:latest -f ./Dockerfile .
-                echo "[✓] Done: hopr-admin:latest"
-              '';
-            };
+            echo "[+] Building: hopr-admin:latest"
+            docker build --platform linux/amd64 -t hopr-admin:latest -f ./Dockerfile .
+            echo "[✓] Done: hopr-admin:latest"
+          '';
+        };
 
-        in
-        {
-          devShells.default = import ./shell.nix { inherit pkgs; };
-          devShells.ci = pkgs.mkShell {
-            nativeBuildInputs = [
-              pkgs.zizmor
-            ];
+        pre-commit-check = pre-commit.lib.${system}.run {
+          src = ./.;
+          hooks = {
+            check-executables-have-shebangs.enable = true;
+            check-shebang-scripts-are-executable.enable = true;
+            check-case-conflicts.enable = true;
+            check-symlinks.enable = true;
+            check-merge-conflicts.enable = true;
+            check-added-large-files.enable = true;
+            commitizen.enable = true;
+            actionlint.enable = true;
+            pinact = {
+              enable = true;
+              name = "pinact";
+              description = "Check GitHub Action refs are SHA-pinned and resolvable";
+              entry = "${pkgs.writeShellScript "pinact-check" ''
+                token="''${GITHUB_TOKEN:-$(${pkgs.gh}/bin/gh auth token 2>/dev/null || true)}"
+                if [ -z "$token" ]; then
+                  echo "pinact: skipping — no GITHUB_TOKEN and gh not authenticated" >&2
+                  exit 0
+                fi
+                export GITHUB_TOKEN="$token"
+                exec ${pkgs.pinact}/bin/pinact run --check
+              ''}";
+              files = "^\\.github/workflows/.*\\.ya?ml$";
+              language = "system";
+              pass_filenames = false;
+            };
           };
+          tools = pkgs;
+        };
+      in
+      {
+        devShells.default = pkgs.mkShell {
+          inputsFrom = [ (import ./shell.nix { inherit pkgs; }) ];
+          buildInputs = [ pkgs.gh ];
+          shellHook = ''
+            export GITHUB_TOKEN="''${GITHUB_TOKEN:-$(gh auth token 2>/dev/null || true)}"
+            ${pre-commit-check.shellHook}
+          '';
+        };
+        devShells.ci = pkgs.mkShell {
+          nativeBuildInputs = [
+            pkgs.zizmor
+          ];
+        };
 
-          # Expose as flake as app
-          apps = {
-            docker-x86_64-linux = {
-              type = "app";
-              program = "${dockerBuild}/bin/dockerBuild";
-            };
-            default = {
-              type = "app";
-              program = "${dockerBuild}/bin/dockerBuild";
-            };
+        # Expose as flake as app
+        apps = {
+          docker-x86_64-linux = {
+            type = "app";
+            program = "${dockerBuild}/bin/dockerBuild";
+          };
+          default = {
+            type = "app";
+            program = "${dockerBuild}/bin/dockerBuild";
           };
-        }
-      );
-}
\ No newline at end of file
+        };
+      }
+    );
+}