diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml
index 254917259..b59d8ba34 100644
--- a/.github/workflows/issue-triage.yml
+++ b/.github/workflows/issue-triage.yml
@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Check contributor permissions
         id: contributor
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           result-encoding: string
           script: |
@@ -46,7 +46,7 @@ jobs:
 
       - name: Add triage label
         if: steps.contributor.outputs.result == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             await github.rest.issues.addLabels({
diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml
index 258ec9bc6..b8bf87b38 100644
--- a/.github/workflows/release-dev.yml
+++ b/.github/workflows/release-dev.yml
@@ -791,7 +791,7 @@ jobs:
             release/openshell-driver-vm-aarch64-apple-darwin.tar.gz
 
       - name: Prune managed assets from dev release
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index 0e9fab9bc..8f880439f 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -795,7 +795,7 @@ jobs:
             release/openshell-driver-vm-aarch64-apple-darwin.tar.gz
 
       - name: Prune removed VM checksum asset
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
diff --git a/.github/workflows/release-vm-kernel.yml b/.github/workflows/release-vm-kernel.yml
index 8bdaab11f..3b21845d8 100644
--- a/.github/workflows/release-vm-kernel.yml
+++ b/.github/workflows/release-vm-kernel.yml
@@ -201,7 +201,7 @@ jobs:
           git push --force origin vm-runtime
 
       - name: Prune stale runtime assets from vm-runtime release
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
diff --git a/.github/workflows/vouch-check.yml b/.github/workflows/vouch-check.yml
index 1b58c2756..db7a540eb 100644
--- a/.github/workflows/vouch-check.yml
+++ b/.github/workflows/vouch-check.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Check org membership
         id: org-check
         if: env.ORG_READ_TOKEN != ''
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.ORG_READ_TOKEN }}
           result-encoding: string
@@ -42,7 +42,7 @@ jobs:
 
       - name: Check if contributor is vouched
         if: steps.org-check.outputs.result != 'skip'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const author = context.payload.pull_request.user.login;
diff --git a/.github/workflows/vouch-command.yml b/.github/workflows/vouch-command.yml
index af4fcca42..309a4ae36 100644
--- a/.github/workflows/vouch-command.yml
+++ b/.github/workflows/vouch-command.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Process /vouch command
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const commenter = context.payload.comment.user.login;