diff --git a/.github/workflows/dast-pipeline.yml b/.github/workflows/dast-pipeline.yml
old mode 100755
new mode 100644
index 98d1e42b..5edc64e0
--- a/.github/workflows/dast-pipeline.yml
+++ b/.github/workflows/dast-pipeline.yml
@@ -546,7 +546,7 @@ jobs:
 
       - name: Create issue on failure (nightly scans only)
         if: failure() && github.event_name == 'schedule'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const title = `DAST Security Finding — ${new Date().toISOString().slice(0,10)}`;
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
old mode 100755
new mode 100644
index bbffec0b..12bbb675
--- a/.github/workflows/dependency-check.yml
+++ b/.github/workflows/dependency-check.yml
@@ -280,7 +280,7 @@ jobs:
           merge-multiple: true
 
       - name: Create issues for critical vulnerabilities
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const fs = require('fs');
diff --git a/.github/workflows/production-deploy.yml b/.github/workflows/production-deploy.yml
old mode 100755
new mode 100644
index 998b512c..7e522e6a
--- a/.github/workflows/production-deploy.yml
+++ b/.github/workflows/production-deploy.yml
@@ -425,7 +425,7 @@ jobs:
           exit 1
 
       - name: Create incident issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/promotion-pipeline.yml b/.github/workflows/promotion-pipeline.yml
old mode 100755
new mode 100644
index a49d31af..40295c67
--- a/.github/workflows/promotion-pipeline.yml
+++ b/.github/workflows/promotion-pipeline.yml
@@ -771,7 +771,7 @@ jobs:
           GITHUB_RUN_NUMBER: ${{ github.run_number }}
 
       - name: Create or update promotion PR
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml
old mode 100755
new mode 100644
index 95c918cf..038a2059
--- a/.github/workflows/rollback.yml
+++ b/.github/workflows/rollback.yml
@@ -243,7 +243,7 @@ jobs:
 
       # ── 9. Create rollback audit issue ───────────────────────
       - name: Create rollback audit issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/security-gate.yml b/.github/workflows/security-gate.yml
old mode 100755
new mode 100644
index 08049ec4..93f7b4ac
--- a/.github/workflows/security-gate.yml
+++ b/.github/workflows/security-gate.yml
@@ -42,7 +42,7 @@ jobs:
     steps:
       - name: Check for override label
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const pr = context.payload.pull_request;
@@ -112,7 +112,7 @@ jobs:
     steps:
       - name: Get Code Scanning alerts for this PR
         id: count
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const pr = context.payload.pull_request;
@@ -317,7 +317,7 @@ jobs:
     steps:
       - name: Make gate decision
         id: decide
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const overrideActive = '${{ needs.check-override.outputs.override_active }}' === 'true';