diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index c541a45..d38482e 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -51,7 +51,7 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad #v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 #v4.1.0
         with:
           cosign-release: "v2.2.4"
 
diff --git a/.github/workflows/release-publisher.yaml b/.github/workflows/release-publisher.yaml
index 95112ac..a4d77ac 100644
--- a/.github/workflows/release-publisher.yaml
+++ b/.github/workflows/release-publisher.yaml
@@ -106,7 +106,7 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
         with:
           tag_name: ${{ steps.version.outputs.tag_name }}
           draft: false
diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
index 0d3c77e..00f887f 100644
--- a/.github/workflows/security-scan.yaml
+++ b/.github/workflows/security-scan.yaml
@@ -24,6 +24,6 @@ jobs:
           severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v3
         with:
           sarif_file: 'trivy-results.sarif'