diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index cc10cfe..b11a32c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -33,9 +33,9 @@ jobs:
     -
       # Initializes the CodeQL tools for scanning.
       name: Initialize CodeQL
-      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+      uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
       with:
         languages: ${{ matrix.language }}
     -
       name: Analyze ${{ matrix.language }}
-      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+      uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
index 2861c3a..c0001a9 100644
--- a/.github/workflows/go-test.yml
+++ b/.github/workflows/go-test.yml
@@ -26,7 +26,7 @@ jobs:
           cache: true
       -
         name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
         with:
           version: latest
           only-new-issues: true
@@ -73,7 +73,7 @@ jobs:
           ./...
       -
         name: Upload coverage artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           # *.coverage.* pattern is automatically detected by codecov
           path: '**/*.coverage.*.out'
@@ -83,7 +83,7 @@ jobs:
         name: Upload test report artifacts
         # upload report even if test fail. BTW, this is when they are valuable.
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           path: '**/unit.report.*.json'
           name: 'unit.report.${{ matrix.os }}-${{ matrix.go }}'
@@ -117,7 +117,7 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
       -
         name: Download coverage artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           run-id: "${{ github.run_id }}"
           pattern: "*.coverage.*"
@@ -153,7 +153,7 @@ jobs:
           cache: true
       -
         name: Download test report artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           run-id: "${{ github.run_id }}"
           pattern: "*.report.*"
@@ -238,7 +238,7 @@ jobs:
       # They also handle the storage of past test reports, so as to assess flaky tests.
       -
         name: Publish Test Summary Results
-        uses: ctrf-io/github-test-reporter@646f98cfc16c6f7a0e1f6100cabe2deb95dd2eef # v1.0.22
+        uses: ctrf-io/github-test-reporter@024bc4b64d997ca9da86833c6b9548c55c620e40 # v1.0.26
         with:
           report-path: 'reports/ctrf_report_*.json'
           use-suite-name: true
diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml
index 285c225..4b95e84 100644
--- a/.github/workflows/scanner.yml
+++ b/.github/workflows/scanner.yml
@@ -41,7 +41,7 @@ jobs:
           exit-code: 0
       -
         name: Upload trivy findings to code scanning dashboard
-        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
         with:
           category: trivy
           sarif_file: trivy-code-report.sarif