diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 64635f8..da3ccf1 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -294,7 +294,7 @@ jobs:
         uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
 
       - name: Install yq
-        uses: mikefarah/yq@45be35c06387d692bb6bf689919919e0e32e796f # v4.49.1
+        uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2
 
       - name: Log in to Container Registry
         # Only login when we're going to push (main branch or manual trigger)
diff --git a/.github/workflows/periodic-security-scan.yml b/.github/workflows/periodic-security-scan.yml
index c560191..a8e45d3 100644
--- a/.github/workflows/periodic-security-scan.yml
+++ b/.github/workflows/periodic-security-scan.yml
@@ -48,7 +48,7 @@ jobs:
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
 
       - name: Install yq
-        uses: mikefarah/yq@45be35c06387d692bb6bf689919919e0e32e796f # v4.49.1
+        uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2
 
       - name: Extract metadata from config
         id: meta