diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9f73cdb..8a55d85 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,9 +26,9 @@ jobs:
     -
       # Initializes the CodeQL tools for scanning.
       name: Initialize CodeQL
-      uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+      uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
       with:
         languages: ${{ matrix.language }}
     -
       name: Analyze ${{ matrix.language }}
-      uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+      uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
diff --git a/.github/workflows/collect-coverage.yml b/.github/workflows/collect-coverage.yml
index 1ffa60b..4c37bd9 100644
--- a/.github/workflows/collect-coverage.yml
+++ b/.github/workflows/collect-coverage.yml
@@ -30,7 +30,7 @@ jobs:
           path: coverage/
       -
         name: Upload coverage to codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           name: Aggregated coverage
           # All *.coverage.*.out files uploaded should be detected by the codecov action.
diff --git a/.github/workflows/collect-reports.yml b/.github/workflows/collect-reports.yml
index 2e2dd43..bbe5ff2 100644
--- a/.github/workflows/collect-reports.yml
+++ b/.github/workflows/collect-reports.yml
@@ -48,7 +48,7 @@ jobs:
       -
         name: Upload test results to Codecov
         # This allows for using the test results UI on codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           files: '**/junit_report.xml'
           report_type: 'test_results'
diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
index 514dfc6..1fc8f53 100644
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -33,7 +33,7 @@ jobs:
         mv contributors.md CONTRIBUTORS.md
     -
       name: Switch to go-openapi bot user
-      uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0
+      uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
       id: app-token
       with:
         app-id: ${{ secrets.CI_BOT_APP_ID }}
@@ -51,7 +51,7 @@ jobs:
     -
       name: Create a PR
       id: create-pull-request
-      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
       with:
         commit-message: "doc: updated contributors file"
         branch: doc/contributors-bot
diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml
index c68deed..57b5a0a 100644
--- a/.github/workflows/scanner.yml
+++ b/.github/workflows/scanner.yml
@@ -49,7 +49,7 @@ jobs:
           exit-code: 0
       -
         name: Upload trivy findings to code scanning dashboard
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
         with:
           category: trivy
           sarif_file: trivy-code-report.sarif
@@ -69,7 +69,7 @@ jobs:
           output-file: govulnscan-report.sarif
       -
         name: Upload govulnscan findings to code scanning dashboard
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
         with:
           category: govulnscan
           sarif_file: govulnscan-report.sarif