diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index 08d6cc4a..9952a365 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -20,7 +20,7 @@ jobs:
         # remove generated code from coverage calculation
         grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out
     - name: Generage coverage badge
-      uses: vladopajic/go-test-coverage@661e46779fd602ce29d4a4e32fb3a27bce71903c # v2.11.0
+      uses: vladopajic/go-test-coverage@604860ea57b67a2351b4b78071943beecb11ac17 # v2.11.4
       with:
         profile: cover.out
         local-prefix: github.com/${{ github.repository }}
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 51c4328e..1dfdcbb1 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -14,7 +14,7 @@ jobs:
     - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: stable
-    - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+    - uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
       with:
         args: --timeout=180s --enable gocritic
   lint-actions:
diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml
index a0f9d5cb..153a055f 100644
--- a/.github/workflows/ossf-analysis.yaml
+++ b/.github/workflows/ossf-analysis.yaml
@@ -26,6 +26,6 @@ jobs:
         # of the value entered here.
         publish_results: true
     - name: Upload SARIF results to code scanning
-      uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+      uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
       with:
         sarif_file: results.sarif
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2acbea08..19964a01 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -30,7 +30,7 @@ jobs:
         rm ./builds/README.md ./builds/release_template.md
         for BUILD in builds/*; do tar --transform="flags=r;s|${BUILD#builds/}|lagoon|" -czf "$BUILD.tar.gz" -C builds "${BUILD#builds/}"; done
     - name: Generate SBOM from Github API
-      uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
+      uses: advanced-security/sbom-generator-action@6fe43abf522b2e7a19bc769aec1e6c848614b517 # v0.0.2
       id: sbom
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}