diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml
index ccf46fd8..fc4a8258 100644
--- a/.github/workflows/linting-formatting.yml
+++ b/.github/workflows/linting-formatting.yml
@@ -48,7 +48,7 @@ jobs:
         if: success() || failure()
         with:
           sarif_file: megalinter-reports/megalinter-report.sarif
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: success() || failure()
         with:
           name: Linter Report
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
index c89a2bab..ff395c7a 100644
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -21,8 +21,8 @@ jobs:
     # set-up correctly.
     container: ghcr.io/philips-software/amp-devcontainer-${{ matrix.flavor }}:edge
     permissions:
-      contents: write # is needed by peter-evans/create-pull-request to create branches and push commits
-      pull-requests: write # is needed by peter-evans/create-pull-request to create a PR
+      contents: write # is needed by gh cli to create branches and push commits
+      pull-requests: write # is needed by gh cli to create a PR
     steps:
       - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
         with:
@@ -40,15 +40,34 @@ jobs:
         with:
           app-id: ${{ vars.FOREST_RELEASER_APP_ID }}
           private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }}
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      - name: Create pull request
         if: github.event_name != 'pull_request'
-        with:
-          commit-message: "Update ${{ join(fromJson(steps.update-packages.outputs.updated-dependencies), ', ') }}"
-          branch: feature/amp-devcontainer-${{ matrix.flavor }}/update-apt-packages
-          title: "chore(deps, ${{ matrix.flavor }}): update ${{ join(fromJson(steps.update-packages.outputs.updated-dependencies), ', ') }}"
-          labels: dependencies,apt
-          token: ${{ steps.token.outputs.token }}
-          sign-commits: true
+        env:
+          BRANCH: feature/amp-devcontainer-${{ matrix.flavor }}/update-apt-packages
+          COMMIT_MESSAGE: Update ${{ join(fromJson(steps.update-packages.outputs.updated-dependencies), ', ') }}
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+          TITLE: "chore(deps, ${{ matrix.flavor }}): update ${{ join(fromJson(steps.update-packages.outputs.updated-dependencies), ', ') }}"
+        run: |
+          if [[ -z "$(git status --porcelain)" ]]; then
+            echo No changes detected
+            exit 0
+          fi
+
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+          gh auth setup-git
+
+          git checkout -B "${BRANCH}"
+          git add .
+          git commit -m "${COMMIT_MESSAGE}"
+          git push --force-with-lease origin "${BRANCH}"
+
+          pr_number="$(gh pr list --head "${BRANCH}" --state open --json number --jq '.[0].number')"
+          if [[ -n "${pr_number}" ]]; then
+            gh pr edit "${pr_number}" --title "${TITLE}" --add-label dependencies --add-label apt
+          else
+            gh pr create --head "${BRANCH}" --title "${TITLE}" --body "${COMMIT_MESSAGE}" --label dependencies --label apt
+          fi
 
   update-vscode-extensions:
     name: ${{ github.event_name == 'pull_request' && '🧪' || '' }} Extensions (🍨 ${{ matrix.flavor }}, ${{ matrix.file }})
@@ -56,11 +75,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        flavor: ["cpp", "rust"]
-        file: ["devcontainer-metadata.json", "devcontainer.json"]
+        flavor: [cpp, rust]
+        file: [devcontainer-metadata.json, devcontainer.json]
     permissions:
-      contents: write # is needed by peter-evans/create-pull-request to create branches and push commits
-      pull-requests: write # is needed by peter-evans/create-pull-request to create a PR
+      contents: write # is needed by gh cli to create branches and push commits
+      pull-requests: write # is needed by gh cli to create a PR
     steps:
       - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
         with:
@@ -88,13 +107,32 @@ jobs:
         with:
           app-id: ${{ vars.FOREST_RELEASER_APP_ID }}
           private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }}
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+      - name: Create pull request
         if: github.event_name != 'pull_request'
-        with:
-          commit-message: "Update ${{ join(fromJson(steps.update-extensions.outputs.updated-dependencies), ', ') }} in ${{ matrix.file }}"
-          branch: feature/amp-devcontainer-${{ matrix.flavor }}/update-vscode-extensions-${{ matrix.file }}
-          body-path: ${{ runner.temp }}/pull-request-body.md
-          title: "chore(deps, ${{ matrix.flavor }}): update ${{ join(fromJson(steps.update-extensions.outputs.updated-dependencies), ', ') }} in ${{ matrix.file }}"
-          labels: dependencies,vscode-extensions
-          token: ${{ steps.token.outputs.token }}
-          sign-commits: true
+        env:
+          BODY_PATH: ${{ runner.temp }}/pull-request-body.md
+          BRANCH: feature/amp-devcontainer-${{ matrix.flavor }}/update-vscode-extensions-${{ matrix.file }}
+          COMMIT_MESSAGE: Update ${{ join(fromJson(steps.update-extensions.outputs.updated-dependencies), ', ') }} in ${{ matrix.file }}
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+          TITLE: "chore(deps, ${{ matrix.flavor }}): update ${{ join(fromJson(steps.update-extensions.outputs.updated-dependencies), ', ') }} in ${{ matrix.file }}"
+        run: |
+          if [[ -z "$(git status --porcelain)" ]]; then
+            echo No changes detected
+            exit 0
+          fi
+
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+          gh auth setup-git
+
+          git checkout -B "${BRANCH}"
+          git add .
+          git commit -m "${COMMIT_MESSAGE}"
+          git push --force-with-lease origin "${BRANCH}"
+
+          pr_number="$(gh pr list --head "${BRANCH}" --state open --json number --jq '.[0].number')"
+          if [[ -n "${pr_number}" ]]; then
+            gh pr edit "${pr_number}" --title "${TITLE}" --body-file "${BODY_PATH}" --add-label dependencies --add-label vscode-extensions
+          else
+            gh pr create --head "${BRANCH}" --title "${TITLE}" --body-file "${BODY_PATH}" --label dependencies --label vscode-extensions
+          fi
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
index b6d02323..74fd3e95 100644
--- a/.github/workflows/wc-acceptance-test.yml
+++ b/.github/workflows/wc-acceptance-test.yml
@@ -100,7 +100,7 @@ jobs:
           GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
           GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
           PLAYWRIGHT_JUNIT_OUTPUT_NAME: ${{ github.workspace }}/test-report-acceptance-${{ inputs.image-basename }}.xml
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: test-results-acceptance-${{ inputs.image-basename }}
diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml
index 9a631a61..7376dd24 100644
--- a/.github/workflows/wc-build-push.yml
+++ b/.github/workflows/wc-build-push.yml
@@ -115,7 +115,7 @@ jobs:
         id: devcontainer-epoch
       - run: echo "arch=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
         id: devcontainer-arch
-      - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         id: build-and-push
         env:
           SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }}
@@ -137,7 +137,7 @@ jobs:
           touch "${RUNNER_TEMP}/digests/${DIGEST#sha256:}"
         env:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.devcontainer-arch.outputs.arch }}
           path: ${{ runner.temp }}/digests/*
@@ -229,7 +229,7 @@ jobs:
         env:
           FROM_CONTAINER: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:edge
           TO_CONTAINER: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: container-diff-${{ needs.sanitize-image-name.outputs.image-basename }}
           path: container-diff.json
diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml
index 8da18689..b016412f 100644
--- a/.github/workflows/wc-document-generation.yml
+++ b/.github/workflows/wc-document-generation.yml
@@ -70,7 +70,7 @@ jobs:
         uses: docker://pandoc/extra:3.9.0.0-ubuntu@sha256:72afa9c8d3300e5f10c9c4330e101725687f2179bffd912fb859c6d2ae85de62
         with:
           args: --template eisvogel --syntax-highlighting idiomatic --number-sections --output requirements-traceability-matrix.pdf requirements-traceability-matrix.md
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: documents
           path: |
diff --git a/.github/workflows/wc-integration-test-docker.yml b/.github/workflows/wc-integration-test-docker.yml
index 2f39528a..d13e2b81 100644
--- a/.github/workflows/wc-integration-test-docker.yml
+++ b/.github/workflows/wc-integration-test-docker.yml
@@ -59,7 +59,7 @@ jobs:
           IMAGE_BASENAME: ${{ inputs.image-basename }}
           TEST_FILE: ${{ inputs.test-file }}
           RUNNER_ARCH: ${{ steps.runner-arch.outputs.arch }}
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: test-results-integration-docker-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml
index 0b635c3d..d9ceaefc 100644
--- a/.github/workflows/wc-integration-test-podman.yml
+++ b/.github/workflows/wc-integration-test-podman.yml
@@ -89,7 +89,7 @@ jobs:
           podman logout "${REGISTRY}"
         env:
           REGISTRY: ${{ inputs.registry }}
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: test-results-integration-podman-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}