diff --git a/.github/workflows/run-tests.yml b/.github/workflows/_run-tests.yml
similarity index 71%
rename from .github/workflows/run-tests.yml
rename to .github/workflows/_run-tests.yml
index d8cc5b5..7bff95a 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/_run-tests.yml
@@ -1,7 +1,7 @@
 name: Run tests
 
 on:
-  pull_request:
+  workflow_dispatch:
   workflow_call:
 
 permissions:
@@ -12,9 +12,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: Setup Node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version-file: '.nvmrc'
           cache: 'npm'
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000..8b61c54
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,15 @@
+name: PR
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    uses: ./.github/workflows/_run-tests.yml
+
+  dependency-review:
+    name: Dependency Review scan
+    uses: alphagov/pay-ci/.github/workflows/_run-dependency-review.yml@master
diff --git a/.github/workflows/prevent-merge-if-release-open.yml b/.github/workflows/prevent-merge-if-release-open.yml
index ac7ad82..2351a23 100644
--- a/.github/workflows/prevent-merge-if-release-open.yml
+++ b/.github/workflows/prevent-merge-if-release-open.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Check for unmerged release
         id: check_pr
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
           THIS_PR_NUMBER: ${{ github.event.pull_request.number }}
         with:
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index c1e3a8b..023fce3 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -10,16 +10,16 @@ permissions:
 
 jobs:
   unit-tests:
-    uses: ./.github/workflows/run-tests.yml
+    uses: ./.github/workflows/_run-tests.yml
   publish:
     needs: unit-tests
     runs-on: ubuntu-latest
     if: "contains(github.event.head_commit.message, '[automated release]')"
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: Setup Node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version-file: '.nvmrc'
           cache: 'npm'