diff --git a/.github/workflows/docker-image-to-aws-ecr.yaml b/.github/workflows/docker-image-to-aws-ecr.yaml
index 248f954..9501bf3 100644
--- a/.github/workflows/docker-image-to-aws-ecr.yaml
+++ b/.github/workflows/docker-image-to-aws-ecr.yaml
@@ -64,7 +64,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
+        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2
         with:
           registries: ${{ inputs.AWS_ACCOUNT_ID }}
           mask-password: "true" # see: https://github.com/aws-actions/amazon-ecr-login#docker-credentials
diff --git a/.github/workflows/ecr-publish.yaml b/.github/workflows/ecr-publish.yaml
index 58b117f..560faa6 100644
--- a/.github/workflows/ecr-publish.yaml
+++ b/.github/workflows/ecr-publish.yaml
@@ -69,7 +69,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr-public
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
+        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2
         with:
           registry-type: public
 
diff --git a/.github/workflows/go-build.yaml b/.github/workflows/go-build.yaml
index b5ac130..2f477e1 100644
--- a/.github/workflows/go-build.yaml
+++ b/.github/workflows/go-build.yaml
@@ -82,14 +82,14 @@ jobs:
     if: always()
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: cover.out
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5
         with:
           name: cover.out
       - name: Check test coverage
-        uses: vladopajic/go-test-coverage@679e6807f68f2440a4c43d386442a1d0041838a9 # v2
+        uses: vladopajic/go-test-coverage@f190f667e23b4441202d0bab0f8c2e7bce8925b6 # v2
         with:
           profile: cover.out
           local-prefix: github.com/org/project
diff --git a/.github/workflows/qa-python.yaml b/.github/workflows/qa-python.yaml
index 44bea74..8b9e3a9 100644
--- a/.github/workflows/qa-python.yaml
+++ b/.github/workflows/qa-python.yaml
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
+        uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7
         with:
           enable-cache: true
           python-version: "${{ inputs.PYTHON_VERSION }}"
diff --git a/.github/workflows/s3-publish.yaml b/.github/workflows/s3-publish.yaml
index 222c675..6a88753 100644
--- a/.github/workflows/s3-publish.yaml
+++ b/.github/workflows/s3-publish.yaml
@@ -29,7 +29,7 @@ jobs:
       - name: Log message
         run: echo "Uploading ${{ inputs.APP_ARTIFACT }} to ${{ inputs.S3_PATH }}"
       - name: Download app artifact
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ${{ inputs.APP_ARTIFACT }}
       - name: Configure AWS credentials
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index c7701ec..40a1d2b 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ inputs.ENABLE_BANDIT || inputs.ENABLE_SAST }}
     container:
-      image: semgrep/semgrep@sha256:50b839b576d76426efd3e5cffda2db0d8c403f53aa76e91d42ccf51485ac336c
+      image: semgrep/semgrep@sha256:9fb6f44dc162b1e0aada85f072a95141844c61e3bfcedf40b8a46fecf208e986
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: semgrep scan --config auto
\ No newline at end of file
diff --git a/.github/workflows/unit-tests-python-uv.yaml b/.github/workflows/unit-tests-python-uv.yaml
index 91849b5..a1b9de8 100644
--- a/.github/workflows/unit-tests-python-uv.yaml
+++ b/.github/workflows/unit-tests-python-uv.yaml
@@ -26,7 +26,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7
+        uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7
         with:
           enable-cache: true