diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml
index caadebd01..dfc1d263b 100644
--- a/.github/workflows/lib-build.yaml
+++ b/.github/workflows/lib-build.yaml
@@ -39,7 +39,7 @@ jobs:
         builder: [buildah, docker]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
         with:
           go-version-file: go.mod
           check-latest: true
diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml
index 78f593a0d..086fd7789 100644
--- a/.github/workflows/lib-codeql.yaml
+++ b/.github/workflows/lib-codeql.yaml
@@ -19,7 +19,7 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+    - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
       with:
         go-version-file: go.mod
         check-latest: true
@@ -29,11 +29,11 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y libze1 libze-dev
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
+      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3
       with:
         languages: 'go'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
+      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3
       with:
         category: "/language:go"
diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml
index d5df60138..739e44a33 100644
--- a/.github/workflows/lib-publish.yaml
+++ b/.github/workflows/lib-publish.yaml
@@ -29,7 +29,7 @@ jobs:
           sudo systemctl stop clamav-freshclam.service
           sudo freshclam
       - name: Cache clamav databases
-        uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /var/lib/clamav
           key: clamav-${{ github.run_id }}
@@ -59,7 +59,7 @@ jobs:
           - intel-xpumanager-sidecar
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -80,7 +80,7 @@ jobs:
           sudo mkdir -p /var/lib/clamav
           sudo chmod a+rwx /var/lib/clamav
       - name: Retrieve AV database
-        uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /var/lib/clamav
           key: clamav-${{ github.run_id }}
diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml
index 7e99c4660..5c769a991 100644
--- a/.github/workflows/lib-scorecard.yaml
+++ b/.github/workflows/lib-scorecard.yaml
@@ -26,6 +26,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload results to security"
-        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
+        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml
index 36ae8b476..2c5c95f92 100644
--- a/.github/workflows/lib-validate.yaml
+++ b/.github/workflows/lib-validate.yaml
@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -44,7 +44,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libze1 libze-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4696ba8babb6127d732c3c6dde519db15edab9ea # v6
+        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
         with:
           version: v1.64.5
           args: -v --timeout 5m
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -82,7 +82,7 @@ jobs:
           - 1.32.x
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
         with:
           go-version-file: go.mod
           check-latest: true
diff --git a/.github/workflows/trivy-periodic.yaml b/.github/workflows/trivy-periodic.yaml
index 5ddc1680f..ff60fd08a 100644
--- a/.github/workflows/trivy-periodic.yaml
+++ b/.github/workflows/trivy-periodic.yaml
@@ -31,6 +31,6 @@ jobs:
         format: sarif
         output: trivy-report.sarif
     - name: Upload sarif report to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
+      uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3
       with:
         sarif_file: trivy-report.sarif