diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index afdcf923..e9aeaaa0 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -43,7 +43,7 @@ jobs:
           ref: ${{ github.sha }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
         with:
           languages: ${{ matrix.language }}
           # Use CodeQL config to exclude documented false positives
@@ -59,10 +59,10 @@ jobs:
           cache-dependency-path: backend/go.sum
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
+        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
         with:
           category: "/language:${{ matrix.language }}"
 
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index a255bdf4..81a57851 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -558,7 +558,7 @@ jobs:
 
       - name: Upload Trivy results
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4.32.3
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: 'trivy-results.sarif'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -704,7 +704,7 @@ jobs:
 
       - name: Upload Trivy scan results
         if: always()
-        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4.32.3
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: 'docker-pr-image'
diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
index 6dd2003e..c70a8e65 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -99,7 +99,7 @@ jobs:
               { id: 'e2e-tests-split.yml' },
               { id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
               { id: 'security-pr.yml' },
-              { id: 'supply-chain-pr.yml' },
+              { id: 'supply-chain-verify.yml' },
               { id: 'codeql.yml' },
             ];
 
@@ -345,7 +345,7 @@ jobs:
           output: 'trivy-nightly.sarif'
 
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2  # v4.32.3
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6  # v4.32.3
         with:
           sarif_file: 'trivy-nightly.sarif'
           category: 'trivy-nightly'
diff --git a/.github/workflows/security-weekly-rebuild.yml b/.github/workflows/security-weekly-rebuild.yml
index fd01495a..bfb3f825 100644
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -106,7 +106,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM'
 
       - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4.32.3
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: 'trivy-weekly-results.sarif'
 
diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml
index cb68221c..9aec43f7 100644
--- a/.github/workflows/supply-chain-pr.yml
+++ b/.github/workflows/supply-chain-pr.yml
@@ -339,7 +339,7 @@ jobs:
 
       - name: Upload SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_found == 'true'
-        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
         continue-on-error: true
         with:
           sarif_file: grype-results.sarif
@@ -357,7 +357,7 @@ jobs:
           retention-days: 14
 
       - name: Comment on PR
-        if: steps.set-target.outputs.image_name != '' && steps.pr-number.outputs.is_push != 'true'
+        if: steps.set-target.outputs.image_name != '' && steps.pr-number.outputs.is_push != 'true' && steps.pr-number.outputs.pr_number != ''
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
diff --git a/.github/workflows/supply-chain-verify.yml b/.github/workflows/supply-chain-verify.yml
index 03653477..36369c04 100644
--- a/.github/workflows/supply-chain-verify.yml
+++ b/.github/workflows/supply-chain-verify.yml
@@ -79,6 +79,17 @@ jobs:
               # Replace / with - to avoid invalid reference format errors
               TAG=$(echo "${BRANCH}" | tr '/' '-')
             fi
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            BRANCH="${{ github.ref_name }}"
+            if [[ "${BRANCH}" == "main" ]]; then
+              TAG="latest"
+            elif [[ "${BRANCH}" == "development" ]]; then
+              TAG="dev"
+            elif [[ "${BRANCH}" == "nightly" ]]; then
+              TAG="nightly"
+            else
+              TAG=$(echo "${BRANCH}" | tr '/' '-')
+            fi
           else
             TAG="latest"
           fi
@@ -601,7 +612,7 @@ jobs:
       - name: Find Existing PR Comment
         id: find-comment
         if: steps.pr-number.outputs.result != ''
-        uses: peter-evans/find-comment@v3.2.0
+        uses: peter-evans/find-comment@v4.0.0
         with:
           issue-number: ${{ steps.pr-number.outputs.result }}
           comment-author: 'github-actions[bot]'
diff --git a/.github/workflows/update-geolite2.yml b/.github/workflows/update-geolite2.yml
index 05d13843..b9b7492e 100644
--- a/.github/workflows/update-geolite2.yml
+++ b/.github/workflows/update-geolite2.yml
@@ -105,7 +105,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.checksum.outputs.needs_update == 'true'
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           title: "chore(docker): update GeoLite2-Country.mmdb checksum"
           body: |
diff --git a/.github/workflows/weekly-nightly-promotion.yml b/.github/workflows/weekly-nightly-promotion.yml
index db5569bc..d0f57ae4 100644
--- a/.github/workflows/weekly-nightly-promotion.yml
+++ b/.github/workflows/weekly-nightly-promotion.yml
@@ -444,7 +444,7 @@ jobs:
               { id: 'codeql.yml' },
               { id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
               { id: 'security-pr.yml' },
-              { id: 'supply-chain-pr.yml' },
+              { id: 'supply-chain-verify.yml' },
             ];
 
             for (const workflow of requiredWorkflows) {