diff --git a/.github/workflows/audit-branch-protection.yml b/.github/workflows/audit-branch-protection.yml
index 50985ce..fb950af 100644
--- a/.github/workflows/audit-branch-protection.yml
+++ b/.github/workflows/audit-branch-protection.yml
@@ -36,7 +36,7 @@ jobs:
 
       - name: Create GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ secrets.BRANCH_PROTECTION_APP_ID }}
           private-key: ${{ secrets.BRANCH_PROTECTION_APP_KEY }}
@@ -175,7 +175,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Upload evidence
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           # Include the ruleset slug so parallel callers (one job per
           # expected ruleset) don't collide on a shared run_id.
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 32c9086..b63dafb 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
         with:
           app-id: ${{ inputs.app-id }}
           private-key: ${{ secrets.CLA_APP_PRIVATE_KEY }}
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index e195080..4beaf50 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -28,7 +28,7 @@ jobs:
           custom_labels: '{"feat": "enhancement", "fix": "bug", "refactor": "enhancement"}'
 
       - name: copy-issue-labels
-        uses: michalvankodev/copy-issue-labels@f54e957e58fc976eba5ffa36e1a1030572dbb78d  # 2023-09-12
+        uses: michalvankodev/copy-issue-labels@c4df96ee53d2cdf639ba169a26c43b04d5085cb3  # 2023-09-12
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/provenance-update.yml b/.github/workflows/provenance-update.yml
index 695ccbc..b439785 100644
--- a/.github/workflows/provenance-update.yml
+++ b/.github/workflows/provenance-update.yml
@@ -107,7 +107,7 @@ jobs:
           token: ${{ secrets.auth_token || steps.app-token.outputs.token || github.token }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ inputs.node-version }}
 
diff --git a/.github/workflows/rust-napi-ci.yml b/.github/workflows/rust-napi-ci.yml
index bbed956..b522104 100644
--- a/.github/workflows/rust-napi-ci.yml
+++ b/.github/workflows/rust-napi-ci.yml
@@ -65,7 +65,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ inputs.node-version }}
       - run: node scripts/version-sync.mjs check
@@ -104,7 +104,7 @@ jobs:
             runtime: node
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ inputs.node-version }}
       - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8
@@ -195,7 +195,7 @@ jobs:
       - if: inputs.build-changed == 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - if: inputs.build-changed == 'true'
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ inputs.node-version }}
       - if: inputs.build-changed == 'true'
@@ -262,7 +262,7 @@ jobs:
       - if: inputs.build-changed == 'true'
         run: bun install --frozen-lockfile
       - if: inputs.build-changed == 'true'
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: artifacts
       - name: Move artifacts