diff --git a/.github/workflows/release-step-3.yml b/.github/workflows/release-step-3.yml
index d7df203..dfc2a26 100644
--- a/.github/workflows/release-step-3.yml
+++ b/.github/workflows/release-step-3.yml
@@ -97,7 +97,7 @@ jobs:
         run: tar xvf ${{ env.TARBALL_FILE }}
 
       - name: generate build provenance
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8  # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
         with:
           subject-path: "${{ github.workspace }}/**/target/*.jar"
 
diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
index f7e430b..782b99c 100644
--- a/.github/workflows/snapshot.yml
+++ b/.github/workflows/snapshot.yml
@@ -67,7 +67,7 @@ jobs:
         run: tar xvf ${{ env.TARBALL_FILE }}
 
       - name: generate build provenance
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8  # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
         with:
           subject-path: "${{ github.workspace }}/**/target/*.jar"
 
diff --git a/.github/workflows/updatecli.yml b/.github/workflows/updatecli.yml
index d97d2e7..49b992b 100644
--- a/.github/workflows/updatecli.yml
+++ b/.github/workflows/updatecli.yml
@@ -26,7 +26,7 @@ jobs:
           permission-contents: write
           permission-pull-requests: write
 
-      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}