diff --git a/.github/workflows/auto-update-contributors.yml b/.github/workflows/auto-update-contributors.yml
index 2fc52c18..56b4ecd1 100644
--- a/.github/workflows/auto-update-contributors.yml
+++ b/.github/workflows/auto-update-contributors.yml
@@ -18,7 +18,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Contribute List
-        uses: akhilmhdh/contributors-readme-action@098389139f2fabed92e52606268941dbff381edb # renovate: tag=v2.3.6
+        uses: akhilmhdh/contributors-readme-action@5782c9cb8a97a6023ef24865061ceb87806b3085 # v2.3.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           use_username: true
diff --git a/.github/workflows/cache-trunk.yml b/.github/workflows/cache-trunk.yml
index 589fc0ff..84a3520a 100644
--- a/.github/workflows/cache-trunk.yml
+++ b/.github/workflows/cache-trunk.yml
@@ -22,6 +22,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Trunk Check
-        uses: trunk-io/trunk-action@65228585e2c6128315f0f2d5190e2eae7f5c32c6 # v1
+        uses: trunk-io/trunk-action@da67635060feab46c164bc130690e61864a5d13b # v1
         with:
           check-mode: populate_cache_only
diff --git a/.github/workflows/changie-trigger-release.yml b/.github/workflows/changie-trigger-release.yml
index eb12fed0..3c6ddd00 100644
--- a/.github/workflows/changie-trigger-release.yml
+++ b/.github/workflows/changie-trigger-release.yml
@@ -17,7 +17,7 @@ jobs:
     name: dependency-release
     steps:
       - name: checkout-repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0 # Ensures a full checkout
       - name: configure-default-git-committer
diff --git a/.github/workflows/lint-post-annotations.yml b/.github/workflows/lint-post-annotations.yml
index 7a2ce6fa..541ff309 100644
--- a/.github/workflows/lint-post-annotations.yml
+++ b/.github/workflows/lint-post-annotations.yml
@@ -17,6 +17,6 @@ jobs:
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Trunk Check
-        uses: trunk-io/trunk-action@718b71fb3e4d83f6734f0c372d92ee7d4c9976d7 # v1.1.11
+        uses: trunk-io/trunk-action@da67635060feab46c164bc130690e61864a5d13b # v1.1.13
         with:
           post-annotations: true # only for fork PRs
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 69346dab..f1ed9aea 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -41,6 +41,6 @@ jobs:
           AQUA_LOG_LEVEL: debug
           AQUA_OPTS: ''
       - name: trunk-check
-        uses: trunk-io/trunk-action@718b71fb3e4d83f6734f0c372d92ee7d4c9976d7 # v1.1.11
+        uses: trunk-io/trunk-action@da67635060feab46c164bc130690e61864a5d13b # v1.1.13
         with:
           arguments: --github-annotate-new-only=true
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index b7d57f3c..9c79b1cc 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -53,7 +53,7 @@ jobs:
       # This should be informational, and not block as it's experimental and no exclusion logic at this time that I've found.
       # https://go.dev/security/vuln/#feedback
       - name: govuln-scan
-        uses: elgohr/go-vulncheck-action@7221c716360fe4f53422dc89fb726d138cd0a27b # renovate tag=v1
+        uses: elgohr/go-vulncheck-action@4499ebcec1d72e1a1beb18300bb42590f40d0616 # renovate tag=v1
         continue-on-error: true
       # - name: mage-vulcheck
       #   run: |
@@ -76,7 +76,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2
+        uses: github/codeql-action/init@9ace329d8c0504a5571820cf13ab64d3f59e84fb # v2
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -89,7 +89,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2
+        uses: github/codeql-action/autobuild@9ace329d8c0504a5571820cf13ab64d3f59e84fb # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -101,6 +101,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2
+        uses: github/codeql-action/analyze@9ace329d8c0504a5571820cf13ab64d3f59e84fb # v2
         with:
           category: '/language:${{matrix.language}}'