diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d2340cb..384fca7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
       - name: Login to ghcr.io
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # 4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -59,6 +59,6 @@ jobs:
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/create-test-mirror-pr.yml b/.github/workflows/create-test-mirror-pr.yml
index fdfe15a..77adc60 100644
--- a/.github/workflows/create-test-mirror-pr.yml
+++ b/.github/workflows/create-test-mirror-pr.yml
@@ -15,7 +15,7 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+      - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         id: octo-sts
         with:
           scope: DataDog/images
@@ -78,7 +78,7 @@ jobs:
 
       - name: Push changes
         if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
-        uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
+        uses: DataDog/commit-headless@ad3668640012ec69186398f43d61923f6878bbbe # action/v3.2.0
         with:
           target: DataDog/images
           token: "${{ steps.octo-sts.outputs.token }}"
diff --git a/.github/workflows/delete-test-mirror-pr.yml b/.github/workflows/delete-test-mirror-pr.yml
index 2a2b438..08941a4 100644
--- a/.github/workflows/delete-test-mirror-pr.yml
+++ b/.github/workflows/delete-test-mirror-pr.yml
@@ -14,7 +14,7 @@ jobs:
       id-token: write # Required for OIDC token federation
       contents: read
     steps:
-      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+      - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         id: octo-sts
         with:
           scope: DataDog/images
@@ -64,7 +64,7 @@ jobs:
         working-directory: images
 
       - name: Push changes
-        uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
+        uses: DataDog/commit-headless@ad3668640012ec69186398f43d61923f6878bbbe # action/v3.2.0
         with:
           target: DataDog/images
           token: "${{ steps.octo-sts.outputs.token }}"
diff --git a/.github/workflows/docker-tag.yml b/.github/workflows/docker-tag.yml
index 4eba88e..e98a11c 100644
--- a/.github/workflows/docker-tag.yml
+++ b/.github/workflows/docker-tag.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
       - name: Login to ghcr.io
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # 4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/update-mirror-digests.yml b/.github/workflows/update-mirror-digests.yml
index 29eecd3..829ab90 100644
--- a/.github/workflows/update-mirror-digests.yml
+++ b/.github/workflows/update-mirror-digests.yml
@@ -14,7 +14,7 @@ jobs:
       id-token: write # Required for OIDC token federation
       contents: read
     steps:
-      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+      - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         id: octo-sts
         with:
           scope: DataDog/images
@@ -95,7 +95,7 @@ jobs:
 
       - name: Push changes
         if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
-        uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
+        uses: DataDog/commit-headless@ad3668640012ec69186398f43d61923f6878bbbe # action/v3.2.0
         with:
           target: DataDog/images
           token: "${{ steps.octo-sts.outputs.token }}"
diff --git a/.github/workflows/vuln-check.yml b/.github/workflows/vuln-check.yml
index 73d0234..86656aa 100644
--- a/.github/workflows/vuln-check.yml
+++ b/.github/workflows/vuln-check.yml
@@ -42,7 +42,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'