diff --git a/.github/workflows/pr-describe.yml b/.github/workflows/pr-describe.yml
index f073d06..c8d4ab3 100644
--- a/.github/workflows/pr-describe.yml
+++ b/.github/workflows/pr-describe.yml
@@ -21,7 +21,7 @@ jobs:
       id-token: write
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       - name: Create check run
         id: create-check
@@ -152,7 +152,7 @@ jobs:
 
       - name: Generate description with AI
         id: generate
-        uses: docker/cagent-action@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
         with:
           agent: agentcatalog/github-action-pr-description-generator
           prompt: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 59fcefa..31120fd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -432,7 +432,7 @@ jobs:
         id: slack-summary
         # Pinned to a SHA — automatically updated by the update-self-refs job after each release.
         # GitHub Actions requires static `uses:` values, so we can't pin dynamically.
-        uses: docker/cagent-action@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
         with:
           agent: agentcatalog/github-action-release-notes
           prompt: |
diff --git a/.github/workflows/reply-to-feedback.yml b/.github/workflows/reply-to-feedback.yml
index b38fc99..91c1d3a 100644
--- a/.github/workflows/reply-to-feedback.yml
+++ b/.github/workflows/reply-to-feedback.yml
@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       # ----------------------------------------------------------------
       # Download artifact from the triggering workflow run
@@ -313,7 +313,7 @@ jobs:
         if: steps.meta.outputs.proceed == 'true' && steps.auth.outputs.authorized == 'true' && steps.checkout.outcome == 'success' && steps.thread.outcome == 'success'
         id: run-reply
         continue-on-error: true
-        uses: docker/cagent-action/review-pr/reply@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/review-pr/reply@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
         with:
           thread-context: ${{ steps.thread.outputs.prompt }}
           comment-id: ${{ steps.meta.outputs.comment_id }}
diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
index 1393382..c367ac0 100644
--- a/.github/workflows/review-pr.yml
+++ b/.github/workflows/review-pr.yml
@@ -86,7 +86,7 @@ jobs:
       comment-json: ${{ steps.read.outputs.comment-json }}
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       - name: Verify token for cross-run artifact download
         shell: bash
@@ -232,7 +232,7 @@ jobs:
         if: |
           steps.command.outputs.is_review != 'false' &&
           steps.draft.outputs.skip != 'true'
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       - name: Check if org member
         id: membership
@@ -337,7 +337,7 @@ jobs:
           steps.draft.outputs.skip != 'true'
         id: run-review
         continue-on-error: true
-        uses: docker/cagent-action/review-pr@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/review-pr@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
         with:
           pr-number: ${{ steps.pr.outputs.number }}
           comment-id: ${{ inputs.comment-id || github.event.comment.id }}
@@ -506,7 +506,7 @@ jobs:
 
       - name: Setup credentials
         if: steps.bot-guard.outputs.is_bot != 'true' && steps.check.outputs.is_agent == 'true'
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       - name: Check authorization
         if: steps.check.outputs.is_agent == 'true'
@@ -666,7 +666,7 @@ jobs:
       - name: Run reply
         if: steps.check.outputs.is_agent == 'true' && steps.auth.outputs.authorized == 'true'
         continue-on-error: true
-        uses: docker/cagent-action/review-pr/reply@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/review-pr/reply@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
         with:
           thread-context: ${{ steps.thread.outputs.prompt }}
           comment-id: ${{ steps.feedback.outputs.comment-id }}
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 34220ac..a361e63 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -30,7 +30,7 @@ jobs:
           fetch-depth: 0 # Need full history to get commits from past week
 
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
 
       - name: Get commits from past week
@@ -114,7 +114,7 @@ jobs:
       - name: Run security scan
         id: scan
         if: steps.commits.outputs.has_commits == 'true'
-        uses: docker/cagent-action@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
         with:
           agent: agentcatalog/github-action-security-scanner
           prompt: ${{ steps.commits.outputs.prompt }}
diff --git a/.github/workflows/self-review-pr.yml b/.github/workflows/self-review-pr.yml
index 9ca6dcb..f20eebd 100644
--- a/.github/workflows/self-review-pr.yml
+++ b/.github/workflows/self-review-pr.yml
@@ -49,7 +49,7 @@ jobs:
 
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       # For workflow_run events (fork PRs), download the artifact saved by pr-review-trigger.yml
       # to get the PR number. For pull_request events, read it directly from the event payload.
@@ -184,7 +184,7 @@ jobs:
     steps:
 
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       - name: Check if commenter is org member
         id: membership
diff --git a/.github/workflows/update-docker-agent-version.yml b/.github/workflows/update-docker-agent-version.yml
index deac9ee..9eff57a 100644
--- a/.github/workflows/update-docker-agent-version.yml
+++ b/.github/workflows/update-docker-agent-version.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+        uses: docker/cagent-action/.github/actions/setup-credentials@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/review-pr/action.yml b/review-pr/action.yml
index 7fefbb6..267cbf3 100644
--- a/review-pr/action.yml
+++ b/review-pr/action.yml
@@ -678,7 +678,7 @@ runs:
     - name: Process pending feedback
       if: steps.lock-check.outputs.skip != 'true' && steps.pending-feedback.outputs.has_feedback == 'true'
       continue-on-error: true
-      uses: docker/cagent-action@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+      uses: docker/cagent-action@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
       env:
         ACTION_PATH: ${{ github.action_path }}
       with:
@@ -792,7 +792,7 @@ runs:
     - name: Run PR Review
       if: steps.lock-check.outputs.skip != 'true'
       id: run-review
-      uses: docker/cagent-action@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+      uses: docker/cagent-action@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
       env:
         ACTION_PATH: ${{ github.action_path }}
       with:
diff --git a/review-pr/reply/action.yml b/review-pr/reply/action.yml
index 525ed8a..a3b3925 100644
--- a/review-pr/reply/action.yml
+++ b/review-pr/reply/action.yml
@@ -73,7 +73,7 @@ runs:
     - name: Run reply agent
       id: run-reply
       continue-on-error: true
-      uses: docker/cagent-action@f3b82c50bfaca431899c1fcd8f9d2fdd4fe40300 # v1.4.2
+      uses: docker/cagent-action@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3
       env:
         ACTION_PATH: ${{ github.action_path }}
       with: