diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
index 2f93eed3..e804ff1a 100644
--- a/remediation/workflow/hardenrunner/addaction.go
+++ b/remediation/workflow/hardenrunner/addaction.go
@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
 	}
 
 	if updated && pinActions {
-		out, _ = pin.PinAction(action, out, nil, pinToImmutable)
+		out, _, _ = pin.PinAction(action, out, nil, pinToImmutable)
 	}
 
 	return out, updated, nil
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
index b35d6e15..bd2d7fca 100644
--- a/remediation/workflow/pin/pinactions.go
+++ b/remediation/workflow/pin/pinactions.go
@@ -29,7 +29,10 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated = PinAction(step.Uses, out, exemptedActions, pinToImmutable)
+				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable)
+				if err != nil {
+					return out, updated, err
+				}
 				updated = updated || localUpdated
 			}
 		}
@@ -38,29 +41,32 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool) {
+func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool, error) {
 
 	updated := false
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
-		return inputYaml, updated // Cannot pin local actions and docker actions
+		return inputYaml, updated, nil // Cannot pin local actions and docker actions
 	}
 
 	if isAbsolute(action) || (pinToImmutable && IsImmutableAction(action)) {
-		return inputYaml, updated
+		return inputYaml, updated, nil
 	}
 	leftOfAt := strings.Split(action, "@")
 	tagOrBranch := leftOfAt[1]
 
 	// skip pinning for exempted actions
 	if ActionExists(leftOfAt[0], exemptedActions) {
-		return inputYaml, updated
+		return inputYaml, updated, nil
 	}
 
 	splitOnSlash := strings.Split(leftOfAt[0], "/")
 	owner := splitOnSlash[0]
 	repo := splitOnSlash[1]
 
-	PAT := os.Getenv("PAT")
+	PAT := os.Getenv("SECURE_REPO_PAT")
+	if PAT == "" {
+		PAT = os.Getenv("PAT")
+	}
 
 	ctx := context.Background()
 	ts := oauth2.StaticTokenSource(
@@ -72,13 +78,10 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 
 	commitSHA, _, err := client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
 	if err != nil {
-		return inputYaml, updated
+		return inputYaml, updated, fmt.Errorf("unable to get commit sha %v", err)
 	}
 
-	tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
-	if err != nil {
-		return inputYaml, updated
-	}
+	tagOrBranch, _ = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
 
 	// pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
 	// build separately so we can quote only the ref, not the comment
@@ -109,7 +112,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 		inputYaml = actionRegex.ReplaceAllString(inputYaml, pinnedActionWithVersion+"$2")
 
 		inputYaml, _ = removePreviousActionComments(pinnedActionWithVersion, inputYaml)
-		return inputYaml, !strings.EqualFold(action, pinnedActionWithVersion)
+		return inputYaml, !strings.EqualFold(action, pinnedActionWithVersion), nil
 	}
 
 	updated = !strings.EqualFold(action, fullPinned)
@@ -141,7 +144,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	)
 	inputYaml, _ = removePreviousActionComments(fullPinned, inputYaml)
 
-	return inputYaml, updated
+	return inputYaml, updated, nil
 }
 
 // It may be that there was already a comment next to the action
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
index 44c1c07a..120f3b29 100644
--- a/remediation/workflow/secureworkflow.go
+++ b/remediation/workflow/secureworkflow.go
@@ -143,7 +143,13 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			log.Printf("Pinning GitHub Actions")
 		}
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
+		secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
+		if err != nil {
+			if enableLogging {
+				log.Printf("Error pinning actions: %v", err)
+			}
+			return secureWorkflowReponse, err
+		}
 		secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
 		pinnedActions = pinnedAction || pinnedDocker
 		if enableLogging {