diff --git a/.github/actions/golangci-lint/action.yml b/.github/actions/golangci-lint/action.yml
index ffcfeea3d0c..86e15f80b2f 100644
--- a/.github/actions/golangci-lint/action.yml
+++ b/.github/actions/golangci-lint/action.yml
@@ -10,7 +10,8 @@ inputs:
     required: true
   go-directory:
     description: Go directory to run commands from
-    default: "."
+    # XXX: Don't use `.` here due to issues with the golangci-lint-action.
+    default: ""
   # setup-go inputs
   only-modules:
     description: Set to 'true' to only cache modules
@@ -36,6 +37,9 @@ runs:
   using: composite
   steps:
     - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      with:
+        # We only need a full clone on merge_group events for golangci-lint.
+        fetch-depth: ${{ github.event_name == 'merge_group' && '0' || '1' }}"
     - name: Setup Go
       uses: ./.github/actions/setup-go
       with:
@@ -51,13 +55,9 @@ runs:
       shell: bash
       run: go build ./...
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
+      uses: golangci/golangci-lint-action@38e1018663fa5173f3968ea0777460d3de38f256 # v5.3.0
       with:
-        version: v1.59.1
-        # We already cache these directories in setup-go
-        skip-pkg-cache: true
-        skip-build-cache: true
-        # only-new-issues is only applicable to PRs, otherwise it is always set to false
+        version: v1.60.3
         only-new-issues: true
         args: --out-format colored-line-number,checkstyle:golangci-lint-report.xml
         working-directory: ${{ inputs.go-directory }}
diff --git a/.github/workflows/ci-core.yml b/.github/workflows/ci-core.yml
index dd79493d135..9a1a707c194 100644
--- a/.github/workflows/ci-core.yml
+++ b/.github/workflows/ci-core.yml
@@ -57,6 +57,12 @@ jobs:
     # We don't directly merge dependabot PRs, so let's not waste the resources
     if: ${{ (github.event_name == 'pull_request' ||  github.event_name == 'schedule') && github.actor != 'dependabot[bot]' }}
     name: lint
+    permissions:
+      # For golangci-lint-actions to annotate code in the PR.
+      checks: write
+      contents: read
+      # For golangci-lint-action's `only-new-issues` option.
+      pull-requests: read
     runs-on: ubuntu22.04-8cores-32GB
     needs: [filter]
     steps:
@@ -70,6 +76,7 @@ jobs:
           gc-basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
           gc-host: ${{ secrets.GRAFANA_INTERNAL_HOST }}
           gc-org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
+
       - name: Notify Slack
         if: ${{ failure() && github.event.schedule != '' }}
         uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
diff --git a/.github/workflows/ci-scripts.yml b/.github/workflows/ci-scripts.yml
index 73e72eced54..8fa27f66274 100644
--- a/.github/workflows/ci-scripts.yml
+++ b/.github/workflows/ci-scripts.yml
@@ -9,6 +9,12 @@ jobs:
     # We don't directly merge dependabot PRs, so let's not waste the resources
     if: ${{ (github.event_name == 'pull_request' ||  github.event_name == 'schedule') && github.actor != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
+    permissions:
+      # For golangci-lint-actions to annotate code in the PR.
+      checks: write
+      contents: read
+      # For golangci-lint-action's `only-new-issues` option.
+      pull-requests: read
     steps:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Golang Lint
diff --git a/.tool-versions b/.tool-versions
index 7d237b0a4a1..6cd01e3f913 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -5,5 +5,5 @@ pnpm 9.4.0
 postgres 15.1
 helm 3.10.3
 zig 0.11.0
-golangci-lint 1.59.1
+golangci-lint 1.60.3
 protoc 25.1