diff --git a/.github/actions/build-apko-base/action.yml b/.github/actions/build-apko-base/action.yml
index 24c4b5c84a..ad6ea87631 100644
--- a/.github/actions/build-apko-base/action.yml
+++ b/.github/actions/build-apko-base/action.yml
@@ -122,7 +122,7 @@ runs:
 
     - name: Upload SARIF to GitHub Security
       if: always()
-      uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+      uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
       with: # zizmor: ignore[template-injection]
         sarif_file: trivy-${{ inputs.image-name }}-base.sarif
         category: trivy-${{ inputs.image-name }}-base
diff --git a/.github/actions/build-scan-image/action.yml b/.github/actions/build-scan-image/action.yml
index 4da6daa0b6..224323493b 100644
--- a/.github/actions/build-scan-image/action.yml
+++ b/.github/actions/build-scan-image/action.yml
@@ -369,7 +369,7 @@ runs:
 
     - name: Upload SARIF amd64 to GitHub Security
       if: always()
-      uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+      uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
       with:
         sarif_file: trivy-${{ inputs.image-name }}-amd64.sarif
         category: trivy-${{ inputs.image-name }}-amd64
@@ -387,7 +387,7 @@ runs:
 
     - name: Upload SARIF arm64 to GitHub Security
       if: always() && github.event_name != 'pull_request' && inputs.enable-arm64 == 'true'
-      uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+      uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
       with:
         sarif_file: trivy-${{ inputs.image-name }}-arm64.sarif
         category: trivy-${{ inputs.image-name }}-arm64
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index 61cd4505a3..0c81846b84 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -69,7 +69,7 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           # renovate: datasource=github-releases depName=golangci/golangci-lint
-          version: v2.11.4
+          version: v2.12.1
           working-directory: cli
 
   # ── Test (multi-platform) ──
@@ -384,7 +384,7 @@ jobs:
         run: cp LICENSE cli/LICENSE
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
+        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
           # renovate: datasource=github-releases depName=goreleaser/goreleaser
           version: v2.15.4
diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml
index afe00b5521..398e788135 100644
--- a/.github/workflows/codspeed.yml
+++ b/.github/workflows/codspeed.yml
@@ -98,7 +98,7 @@ jobs:
       - uses: ./.github/actions/setup-python-uv
 
       - name: Run CodSpeed Python benchmarks
-        uses: CodSpeedHQ/action@658a901452bb54c799643e060733b7afe9121b8d # v4.14.0
+        uses: CodSpeedHQ/action@c381be0bfd20e844fb45594f6aa182ffcd94545c # v4.15.0
         with:
           mode: simulation
           # -n0 overrides the project-wide -n=8 in pyproject.toml addopts;
@@ -133,7 +133,7 @@ jobs:
         run: npm --prefix web ci --fetch-retries=5 --fetch-retry-factor=2 --fetch-retry-mintimeout=2000
 
       - name: Run CodSpeed Web benchmarks
-        uses: CodSpeedHQ/action@658a901452bb54c799643e060733b7afe9121b8d # v4.14.0
+        uses: CodSpeedHQ/action@c381be0bfd20e844fb45594f6aa182ffcd94545c # v4.15.0
         with:
           mode: simulation
           run: npm --prefix web run bench
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index ad1d307db2..65e82c42ab 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -668,7 +668,7 @@ jobs:
         # Renovate watches the binary version via the comment marker
         # below; the action SHA is bumped via the standard
         # ``actions/*`` Renovate manager.
-        uses: chainguard-dev/actions/setup-melange@061bc0e921116bde1470f51fb5c86d5318f16558 # v1.6.15
+        uses: chainguard-dev/actions/setup-melange@916fec00fb80f3cd124a0b41eef79ee63f607c5d # v1.6.17
         with:
           # renovate: datasource=github-releases depName=chainguard-dev/melange
           version: v0.50.3
@@ -783,7 +783,7 @@ jobs:
 
       - name: Upload SARIF to GitHub Security (web)
         if: always()
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           sarif_file: trivy-web.sarif
           category: trivy-web
@@ -1378,9 +1378,9 @@ jobs:
           cat pushed-image-tags.txt
 
       - name: Set up Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: "3.14"
+          python-version: "3.14.4"
 
       - name: Verify cosign signatures for every pushed (image, tag)
         env:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 6ee3efa269..f22ec34cad 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
 
       - name: Upload SARIF
         if: ${{ !cancelled() }}
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           sarif_file: results.sarif