diff --git a/.github/workflows/ash-ci.yml b/.github/workflows/ash-ci.yml
index 97fa0c1941..d45365503e 100644
--- a/.github/workflows/ash-ci.yml
+++ b/.github/workflows/ash-ci.yml
@@ -82,7 +82,7 @@ jobs:
     if: github.ref == 'refs/heads/main'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: erlef/mix-dependency-submission@dd81a2f0238bd242a4674703ba7b99c0b284b2f1 # v1.1.3
+      - uses: erlef/mix-dependency-submission@bdccfd60e12db8f77147dc6024758e459025f5ee # v1.2.1
     permissions:
       # Give the default GITHUB_TOKEN write permission to call the dependencies API
       contents: write
diff --git a/.github/workflows/test-subprojects.yml b/.github/workflows/test-subprojects.yml
index 27d8173b80..c98ad6a4fe 100644
--- a/.github/workflows/test-subprojects.yml
+++ b/.github/workflows/test-subprojects.yml
@@ -63,7 +63,7 @@ jobs:
       ASH_SQL_VERSION: main
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit