diff --git a/.github/workflows/dockerfile.yml b/.github/workflows/dockerfile.yml
index e2bcf40..39cc543 100644
--- a/.github/workflows/dockerfile.yml
+++ b/.github/workflows/dockerfile.yml
@@ -30,7 +30,7 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: Docker meta
         id: meta
diff --git a/.github/workflows/gradle-library.yml b/.github/workflows/gradle-library.yml
index 91beb23..bb47e20 100644
--- a/.github/workflows/gradle-library.yml
+++ b/.github/workflows/gradle-library.yml
@@ -80,7 +80,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           submodules: ${{ inputs.submodules }}
           # do not persist credentials because this clashes with semantic-release action
@@ -143,7 +143,7 @@ jobs:
         run: ./gradlew ${{ inputs.build-tasks }}
 
       - name: Upload Gradle test reports
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ !inputs.skip-build && always() }}
         with:
           name: Gradle test reports
@@ -223,7 +223,7 @@ jobs:
       #
       - name: Upload artifact
         if: ${{ inputs.upload-artifact-path != '' }}
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: ${{ inputs.upload-artifact-name }}
           path: ${{ inputs.upload-artifact-path }}
diff --git a/.github/workflows/gradle-service.yml b/.github/workflows/gradle-service.yml
index 8491080..55fe428 100644
--- a/.github/workflows/gradle-service.yml
+++ b/.github/workflows/gradle-service.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       # For each environment variable's key-value pair, mask the value from logs.
       - name: Populate custom environment variables
@@ -94,7 +94,7 @@ jobs:
         run: ./gradlew ${{ inputs.gradle-tasks }}
 
       - name: Upload Gradle test reports
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: always()
         with:
           name: Gradle test reports
diff --git a/.github/workflows/play-service.yml b/.github/workflows/play-service.yml
index 4b38b0d..92ac581 100644
--- a/.github/workflows/play-service.yml
+++ b/.github/workflows/play-service.yml
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
diff --git a/.github/workflows/sbt-library.yml b/.github/workflows/sbt-library.yml
index 38618bc..faaa104 100644
--- a/.github/workflows/sbt-library.yml
+++ b/.github/workflows/sbt-library.yml
@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with: