diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
index a8d6311c61..2c3624304b 100644
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -24,7 +24,7 @@ jobs:
     name: Action lint
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: block
           allowed-endpoints: >
diff --git a/.github/workflows/autodocs-platform.yaml b/.github/workflows/autodocs-platform.yaml
index 3d5329bfd4..33f7fbfd19 100644
--- a/.github/workflows/autodocs-platform.yaml
+++ b/.github/workflows/autodocs-platform.yaml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
     - name: 'Github Actions Runner'
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: audit
 
@@ -30,11 +30,11 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: 'Setup gitsign'
-      uses: chainguard-dev/actions/setup-gitsign@de68b87302e6266db5fb5220246f8aa46fe94b67 # v1.6.14
+      uses: chainguard-dev/actions/setup-gitsign@061bc0e921116bde1470f51fb5c86d5318f16558 # v1.6.15
 
     - name: Authenticate to Google Cloud
       id: auth
-      uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
+      uses: step-security/google-github-auth@775fc4c80760272ef389c9f9f8d98de7db0c170d # v3.0.2
       with:
         service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
         workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
@@ -44,7 +44,7 @@ jobs:
         project_id: "${{ secrets.PROJECT_ID }}"
         storage_bucket: "${{ secrets.STORAGE_BUCKET }}"
 
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: 16
 
diff --git a/.github/workflows/build-terminal-images.yaml b/.github/workflows/build-terminal-images.yaml
index 3759b5f7ff..bb2a8ac6a3 100644
--- a/.github/workflows/build-terminal-images.yaml
+++ b/.github/workflows/build-terminal-images.yaml
@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -57,7 +57,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
+        uses: step-security/google-github-auth@775fc4c80760272ef389c9f9f8d98de7db0c170d # v3.0.2
         with:
           service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
           workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index f9ece4949d..a1711b22f2 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/cloud-run.yaml b/.github/workflows/cloud-run.yaml
index 97b18212b2..132f5d013b 100644
--- a/.github/workflows/cloud-run.yaml
+++ b/.github/workflows/cloud-run.yaml
@@ -23,14 +23,14 @@ jobs:
 
     steps:
     - name: 'Github Actions Runner'
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: audit
 
     - name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: 20
 
@@ -53,7 +53,7 @@ jobs:
 
     - name: Authenticate to Google Cloud
       id: auth
-      uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
+      uses: step-security/google-github-auth@775fc4c80760272ef389c9f9f8d98de7db0c170d # v3.0.2
       with:
         token_format: 'access_token'
         project_id: '${{ secrets.PROJECT_ID }}'
diff --git a/.github/workflows/compile-ai-docs-from-gcs.yaml b/.github/workflows/compile-ai-docs-from-gcs.yaml
index 331c674530..1ef80d9309 100644
--- a/.github/workflows/compile-ai-docs-from-gcs.yaml
+++ b/.github/workflows/compile-ai-docs-from-gcs.yaml
@@ -37,7 +37,7 @@ jobs:
     
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -71,7 +71,7 @@ jobs:
       # persist-credentials left enabled — this workflow needs git push
 
     - name: Authenticate to Google Cloud
-      uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
+      uses: step-security/google-github-auth@775fc4c80760272ef389c9f9f8d98de7db0c170d # v3.0.2
       with:
         workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
         service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
diff --git a/.github/workflows/compile-docs-on-webhook.yml b/.github/workflows/compile-docs-on-webhook.yml
index 3ed2c20ce2..99a01d1a13 100644
--- a/.github/workflows/compile-docs-on-webhook.yml
+++ b/.github/workflows/compile-docs-on-webhook.yml
@@ -21,7 +21,7 @@ jobs:
     
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/compile-docs.yml b/.github/workflows/compile-docs.yml
index 69aeeaab84..b6e6fdb74d 100644
--- a/.github/workflows/compile-docs.yml
+++ b/.github/workflows/compile-docs.yml
@@ -33,7 +33,7 @@ jobs:
     
     steps:
     - name: Harden the runner
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/compile-public-docs.yml b/.github/workflows/compile-public-docs.yml
index 303bfe16b7..8ccb177717 100644
--- a/.github/workflows/compile-public-docs.yml
+++ b/.github/workflows/compile-public-docs.yml
@@ -37,7 +37,7 @@ jobs:
 
     steps:
     - name: Harden the runner
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: block
         allowed-endpoints: >
diff --git a/.github/workflows/export-edu-docs-to-gcs.yaml b/.github/workflows/export-edu-docs-to-gcs.yaml
index a170f1dc02..f7570636cd 100644
--- a/.github/workflows/export-edu-docs-to-gcs.yaml
+++ b/.github/workflows/export-edu-docs-to-gcs.yaml
@@ -26,7 +26,7 @@ jobs:
     
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
         egress-policy: audit
 
@@ -36,7 +36,7 @@ jobs:
         persist-credentials: false  # Don't persist auth token
 
     - name: Authenticate to Google Cloud
-      uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
+      uses: step-security/google-github-auth@775fc4c80760272ef389c9f9f8d98de7db0c170d # v3.0.2
       with:
         workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
         service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
diff --git a/.github/workflows/rumble-vulnerability-data.yaml b/.github/workflows/rumble-vulnerability-data.yaml
index 42f52adc29..1170f95ed1 100644
--- a/.github/workflows/rumble-vulnerability-data.yaml
+++ b/.github/workflows/rumble-vulnerability-data.yaml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -43,7 +43,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1
+        uses: step-security/google-github-auth@775fc4c80760272ef389c9f9f8d98de7db0c170d # v3.0.2
         with:
           service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com"
           workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu"
diff --git a/.github/workflows/validate-nginx-config.yaml b/.github/workflows/validate-nginx-config.yaml
index 959c161aa0..4f26cb711f 100644
--- a/.github/workflows/validate-nginx-config.yaml
+++ b/.github/workflows/validate-nginx-config.yaml
@@ -18,14 +18,14 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
       - name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 16
 
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index b1c3fb0450..49fe93e4d4 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -26,7 +26,7 @@ jobs:
       contents: read # Clone the repository
       security-events: write # Upload SARIF results to Code Scanning
     steps:
-      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: block
           allowed-endpoints: >