diff --git a/.github/workflows/ci-guardrails.yml b/.github/workflows/ci-guardrails.yml
index 5b17516..27b41ae 100644
--- a/.github/workflows/ci-guardrails.yml
+++ b/.github/workflows/ci-guardrails.yml
@@ -86,7 +86,7 @@ jobs:
             > poutine_results.sarif
 
       - name: Upload poutine SARIF file
-        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           sarif_file: poutine_results.sarif
 
@@ -117,7 +117,7 @@ jobs:
           echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT"
 
       - name: Run TruffleHog
-        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
         with:
           extra_args: --results=verified,unknown
           version: ${{ steps.versions.outputs.trufflehog }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8a9ef46..88fb6c7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -79,6 +79,6 @@ jobs:
 
       - name: Upload Trivy SARIF file
         if: always()
-        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           sarif_file: trivy-results.sarif
diff --git a/.github/workflows/prs-review.yml b/.github/workflows/prs-review.yml
index 22bcdfb..e179d85 100644
--- a/.github/workflows/prs-review.yml
+++ b/.github/workflows/prs-review.yml
@@ -207,7 +207,7 @@ jobs:
           persist-credentials: false
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
         with:
           config-file: ./.github/dependency-review-config.yml
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dc89b0f..e34d53c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -170,7 +170,7 @@ jobs:
       # validates the native-image version even though no native compilation
       # happens in this job.
       - name: Set up GraalVM
-        uses: graalvm/setup-graalvm@60c26726de13f8b90771df4bc1641a52a3159994 # v1.5.2
+        uses: graalvm/setup-graalvm@bef4b0e916c7dd079bf60fb95d49139f67e32c5f # v1.5.3
         with:
           java-version: '25'
           distribution: 'graalvm-community'
diff --git a/.github/workflows/reusable-native-build.yml b/.github/workflows/reusable-native-build.yml
index 6487148..d33a88f 100644
--- a/.github/workflows/reusable-native-build.yml
+++ b/.github/workflows/reusable-native-build.yml
@@ -56,7 +56,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up GraalVM
-        uses: graalvm/setup-graalvm@60c26726de13f8b90771df4bc1641a52a3159994 # v1.5.2
+        uses: graalvm/setup-graalvm@bef4b0e916c7dd079bf60fb95d49139f67e32c5f # v1.5.3
         with:
           java-version: '25'
           distribution: 'graalvm-community'
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
index 38a6829..3ea0bbe 100644
--- a/.github/workflows/sast.yml
+++ b/.github/workflows/sast.yml
@@ -44,16 +44,16 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           languages: java-kotlin,actions
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
 
   opengrep:
     name: Analyze (Opengrep)
@@ -90,7 +90,7 @@ jobs:
           echo "opengrep=${opengrep}" >> "$GITHUB_OUTPUT"
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Download Opengrep
         env:
@@ -120,7 +120,7 @@ jobs:
 
       - name: Upload results to GitHub Code Scanning
         if: always()
-        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           sarif_file: opengrep.sarif
           category: opengrep