diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index dd73e2cd..6d17aa86 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -25,7 +25,7 @@ jobs:
           fetch-depth: 1
 
       - name: Run Renovate
-        uses: renovatebot/github-action@8d75b92f43899d483728e9a8a7fd44238020f6e6 # v46.1.2
+        uses: renovatebot/github-action@7b4b65bf31e07d4e3e51708d07700fb41bc03166 # v46.1.3
         with:
           configurationFile: .github/renovate.json
           token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index c02e9da2..8eeb9569 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -362,7 +362,7 @@ jobs:
       - name: Run Trivy filesystem scan (SARIF output)
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
         # aquasecurity/trivy-action v0.33.1
-        uses: aquasecurity/trivy-action@1bd062560b422f5944df1de50abd05162bea079e
+        uses: aquasecurity/trivy-action@4c61e6329bab9be735ca35291551614bc663dff3
         with:
           scan-type: 'fs'
           scan-ref: ${{ steps.extract.outputs.binary_path }}
@@ -394,7 +394,7 @@ jobs:
       - name: Run Trivy filesystem scan (fail on CRITICAL/HIGH)
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
         # aquasecurity/trivy-action v0.33.1
-        uses: aquasecurity/trivy-action@1bd062560b422f5944df1de50abd05162bea079e
+        uses: aquasecurity/trivy-action@4c61e6329bab9be735ca35291551614bc663dff3
         with:
           scan-type: 'fs'
           scan-ref: ${{ steps.extract.outputs.binary_path }}