diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 472c1af..b7fbf4a 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -100,7 +100,7 @@ jobs:
           jq -r '.packages[] | select(.versionInfo != null) | "\(.name) | \(.versionInfo)"' sbom.json | sort | uniq | head -n 20 | column -t -s '|'
 
       - name: Upload SBOM Artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: sbom
           path: sbom.json
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d704cc1..901e0ac 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,6 +4,9 @@ name: "CodeQL and Linter Analysis"
 "on":
   push:
 
+permissions:
+  contents: read
+
 jobs:
   analyze-shell:
     name: Analyze Shell Scripts
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cc3a71c..55fa536 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -115,7 +115,7 @@ jobs:
           fi
 
       - name: Upload SBOM Artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: sbom
           path: sbom.json
@@ -141,7 +141,7 @@ jobs:
           git config --global user.name "UDX Worker"
 
       - name: Download SBOM Artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: sbom
 
diff --git a/Dockerfile b/Dockerfile
index 32705b7..14433b2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -76,16 +76,16 @@ RUN echo $TZ > /etc/timezone && \
 # Install yq (architecture-aware)
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
-    curl -sL https://github.com/mikefarah/yq/releases/download/v4.49.2/yq_linux_${ARCH}.tar.gz | tar xz && \
+    curl -sL https://github.com/mikefarah/yq/releases/download/v4.50.1/yq_linux_${ARCH}.tar.gz | tar xz && \
     mv yq_linux_${ARCH} /usr/bin/yq && \
     rm -rf /tmp/*
 
 # Install Google Cloud SDK (architecture-aware)
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then \
-    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-549.0.0-linux-x86_64.tar.gz" -o google-cloud-sdk.tar.gz; \
+    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-551.0.0-linux-x86_64.tar.gz" -o google-cloud-sdk.tar.gz; \
     elif [ "$ARCH" = "aarch64" ]; then \
-    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-549.0.0-linux-arm.tar.gz" -o google-cloud-sdk.tar.gz; \
+    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-551.0.0-linux-arm.tar.gz" -o google-cloud-sdk.tar.gz; \
     fi && \
     tar -xzf google-cloud-sdk.tar.gz && \
     ./google-cloud-sdk/install.sh -q && \
diff --git a/deploy.yml b/deploy.yml
index e4453fb..d54e199 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -12,6 +12,7 @@ config:
 
   env:
     TEST_ENV_SECRET: "gcp/rabbit-ci-dev/worker-secret-test"
+    TEST_ENV_JSON_KEY: "gcp/rabbit-ci-dev/worker-secret-json-key"
 
   # Mount volumes
   # volumes:
diff --git a/lib/secrets/gcp.sh b/lib/secrets/gcp.sh
index e3d4616..541ce1c 100644
--- a/lib/secrets/gcp.sh
+++ b/lib/secrets/gcp.sh
@@ -32,7 +32,7 @@ resolve_gcp_secret() {
 
     # For multiline secrets (like private keys), base64 encode them
     if [[ "$secret_value" == *"-----BEGIN"* ]] || [[ "$secret_value" == *$'\n'* ]]; then
-        printf "%s" "$secret_value" | base64
+        printf "%s" "$secret_value" | base64 | tr -d '\n'
     else
         printf "%s" "$secret_value"
     fi