diff --git a/.github/workflows/cov.yaml b/.github/workflows/cov.yaml
index 2e359b7583e..70cb46eedc9 100644
--- a/.github/workflows/cov.yaml
+++ b/.github/workflows/cov.yaml
@@ -38,8 +38,8 @@ jobs:
 
       - name: Convert coverage.out to coverage.lcov
         # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
-        # Commit 4e1989767862652e6ca8d3e2e61aabe6d43be28b = tag v1.1.1
-        uses: jandelgado/gcov2lcov-action@4e1989767862652e6ca8d3e2e61aabe6d43be28b
+        # Commit e4612787670fc5b5f49026b8c29c5569921de1db = tag v1.2.0
+        uses: jandelgado/gcov2lcov-action@e4612787670fc5b5f49026b8c29c5569921de1db
         with:
           infile: acc.out
           working-directory: src/github.com/nats-io/nats-server
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index eef8928c6ec..9783e415b65 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -33,13 +33,13 @@ jobs:
 
       - name: Install cosign
         # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
-        # Commit 398d4b0eeef1380460a10c8013a76f728fb906ac = tag v3.9.1
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
+        # Commit d58896d6a1865668819e1d91763c7751a165e159 = tag v3.9.2
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
 
       - name: Install syft
         # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
-        # Commit 9246b90769f852b3a8921f330c59e0b3f439d6e9 = tag v0.20.1
-        uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9
+        # Commit 7b36ad622f042cab6f59a75c2ac24ccb256e9b45 = tag v0.20.4
+        uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45
         with:
           syft-version: "v1.27.1"