diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml
index 8a6f3e4be..cd25d753c 100644
--- a/.github/workflows/lib-build.yaml
+++ b/.github/workflows/lib-build.yaml
@@ -40,7 +40,7 @@ jobs:
         builder: [buildah, docker]
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version-file: go.mod
           check-latest: true
diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml
index 2cfad3d3b..b698d2c29 100644
--- a/.github/workflows/lib-codeql.yaml
+++ b/.github/workflows/lib-codeql.yaml
@@ -19,7 +19,7 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-    - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
       with:
         go-version-file: go.mod
         check-latest: true
@@ -29,11 +29,11 @@ jobs:
         sudo apt-get update
         sudo apt-get install -y libze1 libze-dev
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v3
       with:
         languages: 'go'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v3
       with:
         category: "/language:go"
diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml
index e2eb8014f..91bbde011 100644
--- a/.github/workflows/lib-publish.yaml
+++ b/.github/workflows/lib-publish.yaml
@@ -29,7 +29,7 @@ jobs:
           sudo systemctl stop clamav-freshclam.service
           sudo freshclam
       - name: Cache clamav databases
-        uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: /var/lib/clamav
           key: clamav-${{ github.run_id }}
@@ -58,7 +58,7 @@ jobs:
           - intel-idxd-config-initcontainer
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -69,7 +69,7 @@ jobs:
         run: |
           ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker
       - name: Trivy scan for image
-        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
           scan-type: image
           image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
@@ -79,7 +79,7 @@ jobs:
           sudo mkdir -p /var/lib/clamav
           sudo chmod a+rwx /var/lib/clamav
       - name: Retrieve AV database
-        uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: /var/lib/clamav
           key: clamav-${{ github.run_id }}
@@ -99,7 +99,7 @@ jobs:
         if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
         run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
       - name: Login
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_PASS }}
@@ -112,7 +112,7 @@ jobs:
           echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT
       - name: Install cosign
         if: ${{ inputs.image_tag != 'devel' }}
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 #v3.9.2
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad #v4.0.0
       - name: Keyless image sign
         if: ${{ inputs.image_tag != 'devel' }}
         run: |
diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml
index 8465b26fb..8251e7d65 100644
--- a/.github/workflows/lib-scorecard.yaml
+++ b/.github/workflows/lib-scorecard.yaml
@@ -20,12 +20,12 @@ jobs:
         with:
           persist-credentials: false
       - name: "Analyze project"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
       - name: "Upload results to security"
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml
index 4b044b24c..7abb9a197 100644
--- a/.github/workflows/lib-trivy.yaml
+++ b/.github/workflows/lib-trivy.yaml
@@ -32,7 +32,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
     - name: Run Trivy in config mode for deployments
-      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
       with:
         scan-type: config
         scan-ref: deployments/
@@ -50,7 +50,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
     - name: Run Trivy in config mode for dockerfiles
-      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
       with:
         scan-type: config
         scan-ref: build/docker/
@@ -64,7 +64,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
     - name: Run Trivy in fs mode
-      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
       with:
         scan-type: fs
         scan-ref: .
@@ -81,7 +81,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
     - name: Run Trivy in fs mode
-      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
       with:
         scan-type: fs
         scan-ref: .
diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml
index fd767009e..c502adb93 100644
--- a/.github/workflows/lib-validate.yaml
+++ b/.github/workflows/lib-validate.yaml
@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -44,7 +44,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libze1 libze-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v7
+        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v7
         with:
           version: v2.4.0
           args: -v --timeout 5m
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -82,7 +82,7 @@ jobs:
           - 1.33.x
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version-file: go.mod
           check-latest: true
diff --git a/.github/workflows/trivy-periodic.yaml b/.github/workflows/trivy-periodic.yaml
index 5404c53f0..b743e04bb 100644
--- a/.github/workflows/trivy-periodic.yaml
+++ b/.github/workflows/trivy-periodic.yaml
@@ -22,7 +22,7 @@ jobs:
     - name: Run Trivy in fs mode
       # Don't fail in case of vulnerabilities, report them in the next step
       continue-on-error: true
-      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
       with:
         scan-type: fs
         scan-ref: .
@@ -31,6 +31,6 @@ jobs:
         format: sarif
         output: trivy-report.sarif
     - name: Upload sarif report to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3
       with:
         sarif_file: trivy-report.sarif