diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml
index 4b6fb0237ba3b..e2253c1a4dc9d 100644
--- a/.github/workflows/email-check.yaml
+++ b/.github/workflows/email-check.yaml
@@ -40,7 +40,7 @@ jobs:
           [{"body" : "$COMMENT"}]
           EOF
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: workflow-args
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 0686b5d781466..20df85b061689 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -27,7 +27,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: step-security/changed-files@60967b822d3001fa82242f8d6b4ed46bc3600a68 # v47.0.1
+        uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47.0.5
         with:
           separator: ","
           skip_initial_fetch: true
@@ -83,7 +83,7 @@ jobs:
             --end-rev HEAD \
             --changed-files "$CHANGED_FILES"
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: workflow-args
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 825dd05ccd298..576abba968a91 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/sycl-bandit.yml b/.github/workflows/sycl-bandit.yml
index 0f55e69345897..0769b3ab3cdda 100644
--- a/.github/workflows/sycl-bandit.yml
+++ b/.github/workflows/sycl-bandit.yml
@@ -35,6 +35,6 @@ jobs:
         run: |
           bandit -c devops/bandit.config -r . --exit-zero -f sarif -o bandit_results.sarif
 
-      - uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: bandit_results.sarif
diff --git a/.github/workflows/sycl-detect-changes.yml b/.github/workflows/sycl-detect-changes.yml
index 1153603b85da6..ffb1d7ee5b5f0 100644
--- a/.github/workflows/sycl-detect-changes.yml
+++ b/.github/workflows/sycl-detect-changes.yml
@@ -24,7 +24,7 @@ jobs:
           echo "changed_file_cnt=${{ github.event.pull_request.changed_files }}" >> $GITHUB_OUTPUT
 
       - name: Check file changes
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
         if: steps.changed_files.outputs.changed_file_cnt < 500
         id: changes
         with:
diff --git a/.github/workflows/sycl-nightly.yml b/.github/workflows/sycl-nightly.yml
index fc2aacca817cd..034483636ed66 100644
--- a/.github/workflows/sycl-nightly.yml
+++ b/.github/workflows/sycl-nightly.yml
@@ -424,7 +424,7 @@ jobs:
       with:
         name: sycl_windows_default
     - name: Sign with sigstore/cosign
-      uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0
+      uses: sigstore/gh-action-sigstore-python@04cffa1d795717b140764e8b640de88853c92acc # v3.3.0
       with:
         inputs: sycl_linux.tar.gz sycl_windows.tar.gz
     - name: Compute tag
@@ -437,7 +437,7 @@ jobs:
           echo "TAG=${{ needs.get_date.outputs.date }}-${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
         fi
     - name: Upload binaries
-      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
       with:
         files: |
           sycl_linux.tar.gz
diff --git a/.github/workflows/sycl-yarpgen.yml b/.github/workflows/sycl-yarpgen.yml
index 4db356fb34e3e..6c6f1a04a4285 100644
--- a/.github/workflows/sycl-yarpgen.yml
+++ b/.github/workflows/sycl-yarpgen.yml
@@ -77,7 +77,7 @@ jobs:
     - name: Pack results
       run: tar -czf yarpgen_results.tar.gz yarpgen/testing
 
-    - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: yarpgen_results
         path: yarpgen_results.tar.gz
diff --git a/.github/workflows/sycl-zizmor.yml b/.github/workflows/sycl-zizmor.yml
index b6ac427a28056..7f42e95c6e855 100644
--- a/.github/workflows/sycl-zizmor.yml
+++ b/.github/workflows/sycl-zizmor.yml
@@ -40,4 +40,4 @@ jobs:
             devops/actions/**/*.yml
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3