diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a180732..43cf66f 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -38,7 +38,7 @@ jobs:
       # SHA-pinned (Scorecard's Pinned-Dependencies check) — these are
       # the same pins build.yml and security.yml use elsewhere.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           # `security-extended` adds queries beyond the default suite
@@ -48,9 +48,9 @@ jobs:
           queries: security-extended
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: '/language:${{ matrix.language }}'
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index ea0f355..58ac9e2 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -77,7 +77,7 @@ jobs:
       # Scorecard's Signed-Releases check pattern-matches on the
       # `.sig` extension next to release assets.
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Sign SBOMs with cosign (keyless)
         run: |
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 635ad2d..222fc1d 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -157,7 +157,7 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: Upload SARIF to code-scanning
-        uses: github/codeql-action/upload-sarif@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: results.sarif