diff --git a/.github/workflows/attest.yml b/.github/workflows/attest.yml
index 32ca270..4706f8b 100644
--- a/.github/workflows/attest.yml
+++ b/.github/workflows/attest.yml
@@ -48,7 +48,7 @@ jobs:
     steps:
       - name: "Checkout tagged source"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Attest only stable tags. Manual dispatches must supply the exact tag.
           ref: "${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}"
diff --git a/.github/workflows/benchmark-smoke.yml b/.github/workflows/benchmark-smoke.yml
index 64959c5..86fdcfd 100644
--- a/.github/workflows/benchmark-smoke.yml
+++ b/.github/workflows/benchmark-smoke.yml
@@ -41,7 +41,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2cb664c..2a5aaaf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -68,7 +68,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is not strictly required for plain tests, but keeping
           # checkout behavior consistent across workflows helps avoid edge cases
@@ -106,7 +106,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
index ee74b29..4ab94a7 100644
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -55,7 +55,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # commit range validation requires real history.
           fetch-depth: 0
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 994a47f..a5dca49 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -46,7 +46,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/docs-smoke.yml b/.github/workflows/docs-smoke.yml
index df59d28..1c2e5eb 100644
--- a/.github/workflows/docs-smoke.yml
+++ b/.github/workflows/docs-smoke.yml
@@ -56,7 +56,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is unnecessary here because the docs smoke script only
           # inspects the checked-out tree, not branch history or diff state.
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 7be3de1..96e49b5 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -35,7 +35,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           fetch-depth: 1
           persist-credentials: false
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index c95f195..fd2da1e 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -44,7 +44,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is not strictly required by govulncheck itself, but it
           # keeps repository state consistent across push / PR jobs
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4f20c96..fdcee56 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is not strictly required for ordinary linting, but it is
           # useful for merge-group scenarios and keeps diff-based issue filtering
@@ -76,7 +76,7 @@ jobs:
 
       - name: "Run golangci-lint"
         # golangci/golangci-lint-action v9
-        uses: "golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20"
+        uses: "golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee"
         with:
           # Match the current repository lint configuration baseline.
           #
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index edda443..1fd8f87 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,7 +51,7 @@ jobs:
     steps:
       - name: "Checkout stable tag source"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Stable releases are published from an existing SemVer tag, not from
           # branch pushes. For manual dispatches, the caller must provide the
@@ -122,7 +122,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # `gh release create --verify-tag` shells out to git and expects a
           # real repository checkout with full history and tags.
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index d303415..c6fe5f6 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -77,13 +77,13 @@ jobs:
       # restrictions and adds useful visibility into outbound network behavior.
       - name: "Harden runner"
         # step-security/harden-runner v2
-        uses: "step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40"
+        uses: "step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411"
         with:
           egress-policy: "audit"
 
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history improves the quality of some repository checks and keeps
           # the action closer to the official examples.
@@ -110,7 +110,7 @@ jobs:
 
       - name: "Upload SARIF to GitHub code scanning"
         # github/codeql-action/upload-sarif v4
-        uses: "github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
+        uses: "github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e"
         with:
           sarif_file: "results.sarif"
 
diff --git a/.github/workflows/security-codeql.yml b/.github/workflows/security-codeql.yml
index 77b924a..1e06e17 100644
--- a/.github/workflows/security-codeql.yml
+++ b/.github/workflows/security-codeql.yml
@@ -61,7 +61,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           persist-credentials: false
 
@@ -80,7 +80,7 @@ jobs:
       #   right default until proven otherwise.
       - name: "Initialize CodeQL"
         # github/codeql-action/init v4
-        uses: "github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
+        uses: "github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e"
         with:
           languages: "${{ matrix.language }}"
           build-mode: "autobuild"
@@ -98,6 +98,6 @@ jobs:
 
       - name: "Perform CodeQL analysis"
         # github/codeql-action/analyze v4
-        uses: "github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
+        uses: "github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e"
         with:
           category: "/language:${{ matrix.language }}"