diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3783d32..9ab6197 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,7 +44,7 @@ jobs:
       - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # post-v2.9.1
 
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@6c1f7cf125e42770ff087ea443901b487cc5471a # v2.79.5
+        uses: taiki-e/install-action@e49978b799e49ff429d162b7a30601a569ab6538 # v2.81.1
         with:
           tool: cargo-llvm-cov
 
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 50590e9..bb082be 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -82,7 +82,7 @@ jobs:
       # Scorecard's Signed-Releases check pattern-matches on the
       # `.sig` extension next to release assets.
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Sign SBOMs with cosign (keyless)
         run: |
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 3fbdc85..0e4b850 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -102,7 +102,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: EmbarkStudios/cargo-deny-action@a531616d8ce3b9177443e48a1159bc945a099823 # post-v2.0.19, pins cargo-deny 0.19.7
+      - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # post-v2.0.19, pins cargo-deny 0.19.7
         with:
           command: check
           arguments: --all-features