diff --git a/.github/workflows/container-prune.yml b/.github/workflows/container-prune.yml
index 7008e327..b5ab8945 100644
--- a/.github/workflows/container-prune.yml
+++ b/.github/workflows/container-prune.yml
@@ -172,7 +172,7 @@ jobs:
     if: always()
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: prune-*-log-${{ github.run_id }}
           merge-multiple: true
diff --git a/.github/workflows/e2e-tests-split.yml b/.github/workflows/e2e-tests-split.yml
index 3a057c90..861c0ac0 100644
--- a/.github/workflows/e2e-tests-split.yml
+++ b/.github/workflows/e2e-tests-split.yml
@@ -248,7 +248,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -450,7 +450,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -660,7 +660,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -914,7 +914,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -1151,7 +1151,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
@@ -1396,7 +1396,7 @@ jobs:
 
       - name: Download Docker image artifact
         if: needs.build.outputs.image_source == 'build'
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: docker-image
 
diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
index 9fbade4c..3aff9b2f 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -430,7 +430,7 @@ jobs:
         run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"
 
       - name: Download SBOM
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: sbom-nightly
 
diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index 9d846de2..b818cd3e 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -240,7 +240,7 @@ jobs:
       - name: Download PR image artifact
         if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
         # actions/download-artifact v4.1.8
-        uses: actions/download-artifact@e6d03f67377d4412c7aa56a8e2e4988e6ec479dd
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: ${{ steps.check-artifact.outputs.artifact_name }}
           run-id: ${{ steps.check-artifact.outputs.run_id }}
@@ -385,7 +385,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@997acaf7eb44f6d92b5a44be95fd65d9276fee37
+        uses: github/codeql-action/upload-sarif@1a97b0f94ec9297d6f58aefe5a6b5441c045bed4
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}