diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0073b302..7671a58c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -67,7 +67,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8
+      uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -80,6 +80,6 @@ jobs:
         # queries: security-extended,security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8
+      uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 62f9f8af..55cbaac8 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -46,7 +46,7 @@ jobs:
         uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
         with:
           install_only: true
-      - uses: yokawasa/action-setup-kube-tools@3e3886c11bfa25fe33f8eb90f59542dd151da442
+      - uses: yokawasa/action-setup-kube-tools@4710caf20bc62368b8edab32f7c9cc7dc3a2ac31
         with:
           kustomize: '5.7.1'
           tilt: '0.36.3'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2e9ae0f3..b74a4a1d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -93,13 +93,13 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Install Helm
-      uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
+      uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
     - name: Generate manifests
       run: |
         mkdir -p output
         helm template ./deploy --namespace ocm-system --set "manager.image.tag=${{ env.RELEASE_VERSION }}" --include-crds > ./output/install.yaml
     - name: Setup Syft
-      uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
+      uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
     - name: Setup Cosign
       uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22
     - name: Run goreleaser