diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index dce3d15..d818489 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -26,6 +26,11 @@ permissions:
   #
   contents: read
 
+concurrency:
+  # Intent: scheduled jobs stomp on each other, but manual runs are mostly independent.
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.triggering_actor }}
+  cancel-in-progress: true
+
 jobs:
   nightly_release:
     name: build
@@ -33,7 +38,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # NB: the `fetch-depth: 0` setting is documented by goreleaser
           # as a requirement, for the changelog feature to work correctly.
@@ -42,7 +47,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
           # v5 over v4 updates the Node runtime from node16 to node20.
         with:
           # This should be quoted or use .x, but should not be unquoted.
@@ -62,7 +67,7 @@ jobs:
 
       - name: Install GoReleaser
         id: goreleaser-install
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           distribution: goreleaser-pro
           version: "~> v2"
@@ -70,7 +75,7 @@ jobs:
 
       - name: Install cosign
         id: cosign-install
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       # As of actions/setup-go@v4, go modules and build outputs are cached by default.
       # Prior to the update to use that, we used actions/cache@v3 here for a step:
diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml
index afc7825..e6d6221 100644
--- a/.github/workflows/powershell.yml
+++ b/.github/workflows/powershell.yml
@@ -20,6 +20,11 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  # Intent: scheduled jobs stomp on each other unless there's a push, but pushes only stomp if unchanged
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     permissions:
@@ -29,7 +34,7 @@ jobs:
     name: PSScriptAnalyzer
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # We don't need to work with the git remote after this, so:
           persist-credentials: false
@@ -47,6 +52,6 @@ jobs:
 
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
-        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/version-update.yaml b/.github/workflows/version-update.yaml
index 8452627..2356b92 100644
--- a/.github/workflows/version-update.yaml
+++ b/.github/workflows/version-update.yaml
@@ -9,18 +9,23 @@ on:
 
 permissions: {}
 
+concurrency:
+  # Intent: scheduled jobs stomp on each other, but manual runs are mostly independent.
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.triggering_actor }}
+  cancel-in-progress: true
+
 jobs:
   check_versions:
     name: Update
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write        # we create a branch with updated code, for review
+      pull-requests: write   # we create a PR
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           # Need credentials preserved, to push a branch with changes
@@ -83,7 +88,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.update_versions.outputs.updated == 'true'
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}