ci: update GitHub Actions to Node.js 24 compatible versions

rucoder · rene · commit 3809415730ed · 2026-03-31T11:34:36.000+02:00
GitHub is deprecating Node.js 20 actions. Starting June 2nd, 2026,
actions will be forced to run with Node.js 24 by default, and Node.js
20 will be removed from runners on September 16th, 2026.

Update all GitHub Actions in CI workflows to the latest versions that
support Node.js 24 and pin them to commit SHAs for supply-chain
security:

- actions/checkout v5.0.0 -&gt; v6.0.2
- actions/cache v4.3.0 -&gt; v5.0.4
- actions/upload-artifact v5.0.0 -&gt; v7.0.0
- actions/download-artifact v6.0.0 -&gt; v8.0.1
- actions/setup-go v6.0.0 -&gt; v6.3.0
- docker/login-action v3.6.0 -&gt; v4.0.0
- docker/setup-buildx-action v3 (unpinned) -&gt; v4.0.0 (pinned)
- github/codeql-action v4.31.3 -&gt; v4.35.1
- codecov/codecov-action v5.5.1 -&gt; v6.0.0
- zizmorcore/zizmor-action v0.2.0 -&gt; v0.5.2
- google/osv-scanner-action v1.9.2 -&gt; v2.3.5

Signed-off-by: Mikhail Malyshev &lt;mike.malyshev@gmail.com&gt;
diff --git a/.github/actions/run-make/action.yml b/.github/actions/run-make/action.yml
@@ -27,7 +27,7 @@ runs:
       shell: bash
     - name: Login to Docker Hub
       if: ${{ github.event.repository.full_name == 'lf-edge/eve' }}
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
       with:
         username: ${{ inputs.dockerhub-account }}
         password: ${{ inputs.dockerhub-token }}
diff --git a/.github/workflows/ascii-check.yml b/.github/workflows/ascii-check.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ github.base_ref }}
           fetch-depth: 0
@@ -28,7 +28,7 @@ jobs:
           git checkout ${{ github.event.pull_request.head.ref }}
 
       - name: Setup Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00  # v6.0.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417  # v6.3.0
         with:
           go-version: 1.24
 
diff --git a/.github/workflows/assets.yml b/.github/workflows/assets.yml
@@ -64,7 +64,7 @@ jobs:
             hv: "kvm"
     steps:
       - name: checkout repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ inputs.tag_ref }}
           fetch-depth: 0
@@ -87,8 +87,8 @@ jobs:
         run: |
           rm -rf assets && mkdir -p assets
       - name: Login to Docker Hub
-        if: ${{ github.event.repository.full_name }} == 'lf-edge/eve'
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        if: github.event.repository.full_name == 'lf-edge/eve'
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_PULL_USER }}
           password: ${{ secrets.DOCKERHUB_PULL_TOKEN }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -54,7 +54,7 @@ jobs:
           sudo rm -fr "$GITHUB_WORKSPACE" && mkdir "$GITHUB_WORKSPACE"
           rm -fr ~/.linuxkit
           docker system prune --all --force --volumes
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
@@ -78,7 +78,7 @@ jobs:
       # If we rerun a job without changing the sha, we should not have to rebuild anything.
       # Since the cache is keyed on the head sha, it will retrieve it.
       - name: update linuxkit cache if available
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7  # v5.0.4
         with:
           path: ~/.linuxkit/cache
           key: linuxkit-${{ matrix.arch }}-${{ github.event.pull_request.head.sha }}-${{ matrix.platform }}-${{ matrix.hv }}
@@ -124,7 +124,7 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && 'zededa-ubuntu-2204-arm64' || 'zededa-ubuntu-2204' }}
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
@@ -140,7 +140,7 @@ jobs:
       # So: restore amd64 cache -> load tools -> clear -> restore riscv64 cache.
       - name: load amd64 tool images for riscv64 cross-build
         if: ${{ matrix.arch == 'riscv64' }}
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7  # v5.0.4
         with:
           path: ~/.linuxkit/cache
           key: linuxkit-amd64-${{ github.event.pull_request.head.sha }}-generic-default
@@ -154,7 +154,7 @@ jobs:
       # this cache also contains the tool images we need.
       # The 'rt' platform has no platform-specific packages, so it uses the generic cache.
       - name: update linuxkit cache for target arch
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7  # v5.0.4
         with:
           path: ~/.linuxkit/cache
           key: linuxkit-${{ matrix.arch }}-${{ github.event.pull_request.head.sha }}-${{ matrix.platform == 'rt' && 'generic' || matrix.platform }}-${{ matrix.hv == 'k' && 'k' || 'default' }}
@@ -188,7 +188,7 @@ jobs:
         run: |
           make cache-export ZARCH=${{ matrix.arch }} IMAGE=lfedge/eve:$VERSION-${{ matrix.hv }} OUTFILE=eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}.tar IMAGE_NAME=$TAG-${{ matrix.hv }}-${{ matrix.arch }}
       - name: Upload EVE ${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}
           path: eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}.tar
diff --git a/.github/workflows/buildondemand.yml b/.github/workflows/buildondemand.yml
@@ -48,7 +48,7 @@ jobs:
           sudo rm -fr "$GITHUB_WORKSPACE" && mkdir "$GITHUB_WORKSPACE"
           rm -fr ~/.linuxkit
           docker system prune --all --force --volumes
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: ensure zstd for cache  # this should be removed once the arm64 VM includes zstd
@@ -63,7 +63,7 @@ jobs:
           # if the default server is responding -- we can skip apt update
           $APT_INSTALL || { sudo apt update && $APT_INSTALL ; }
       - name: update linuxkit cache if available
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7  # v5.0.4
         with:
           path: ~/.linuxkit/cache
           key: linuxkit-${{ matrix.arch }}-${{ github.sha }}
@@ -116,13 +116,13 @@ jobs:
             hv: k
             platform: "generic"
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: update linuxkit cache for our arch
         id: cache_for_packages
         if: ${{ matrix.arch != 'amd64' }}  # because our runner arch is amd64; if that changes, this will have to change
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7  # v5.0.4
         with:
           path: ~/.linuxkit/cache
           key: linuxkit-${{ matrix.arch }}-${{ github.sha }}
@@ -146,7 +146,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: packages
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - uses: ./.github/actions/run-make
diff --git a/.github/workflows/buildyetusondemand.yml b/.github/workflows/buildyetusondemand.yml
@@ -44,17 +44,17 @@ jobs:
           df -h
           echo Memory
           free -m
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
           persist-credentials: false
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
       - name: Login to Docker Hub
         if: ${{ env.REPO_NAME == 'lf-edge/eve' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         with:
           username: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
           password: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
diff --git a/.github/workflows/check-docker-hashes-consistency.yml b/.github/workflows/check-docker-hashes-consistency.yml
@@ -27,12 +27,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Cache Go modules
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7  # v5.0.4
         with:
           path: |
             ~/.cache/go-build
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -46,20 +46,20 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db  # v4.31.3
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13  # v4.35.1
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db  # v4.31.3
+        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13  # v4.35.1
 
       # Command-line programs to run using the OS shell.
       # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db  # v4.31.3
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13  # v4.35.1
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/commit-messages.yml b/.github/workflows/commit-messages.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ github.base_ref }}
           fetch-depth: 0
diff --git a/.github/workflows/eden-trusted.yml b/.github/workflows/eden-trusted.yml
@@ -39,7 +39,7 @@ jobs:
       skip_run: ${{ steps.check_gate.outputs.skip_run }}
     steps:
       - name: Download
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: run-context
           run-id: ${{ github.event.workflow_run.id }}
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -42,7 +42,7 @@ jobs:
           sudo rm -fr "$GITHUB_WORKSPACE" && mkdir "$GITHUB_WORKSPACE"
           rm -fr ~/.linuxkit
           docker system prune --all --force --volumes
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
@@ -64,12 +64,12 @@ jobs:
           test-results: dist/amd64/results.json
       - name: Store raw test results
         if: ${{ always() }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: 'test-report'
           path: ${{ github.workspace }}/dist
       - name: Get code coverage
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7  # v5.5.1
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2  # v6.0.0
       - name: Clean
         if: ${{ always() }}
         run: |
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -36,7 +36,7 @@ permissions:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e994fd8ab13fe1394942045f5945cd39c6c2d68e"  # v1.9.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5"  # v2.3.5
     with:
       scan-args: |-
         --fail-on-vuln=false # Do not fail the build if vulnerabilities are found
@@ -45,4 +45,4 @@ jobs:
 
   scan-pr:
     if: ${{ github.event_name == 'pull_request'}}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e994fd8ab13fe1394942045f5945cd39c6c2d68e"  # v1.9.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5"  # v2.3.5
diff --git a/.github/workflows/pr-gate.yml b/.github/workflows/pr-gate.yml
@@ -144,7 +144,7 @@ jobs:
           echo "exit" > "${{ env.RUN_CONTEXT_FILE }}"
 
       - name: Upload Context for Trusted Workflow
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: run-context
           path: ${{ env.RUN_CONTEXT_FILE }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -50,7 +50,7 @@ jobs:
           df -h
           echo Memory
           free -m
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: Force fetch annotated tags (workaround)
@@ -63,7 +63,7 @@ jobs:
           echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
           echo "TAG=$(echo "$REF" | sed -e 's#^.*/##' -e 's#master#snapshot#' -e 's#main#snapshot#')" >> "$GITHUB_ENV"
       - name: Login to Docker Hub (build)
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         if: ${{ github.event.repository.full_name == 'lf-edge/eve' }}
         with:
           username: ${{ secrets.DOCKERHUB_PULL_USER }}
@@ -83,7 +83,7 @@ jobs:
           done
           if [ -z "$SUCCESS" ]; then echo "::error::failed to build packages" && exit 1; fi
       - name: Login to Docker Hub (push)
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         if: ${{ github.event.repository.full_name == 'lf-edge/eve' }}
         with:
           username: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
@@ -146,7 +146,7 @@ jobs:
           df -h
           echo Memory
           free -m
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: Force fetch annotated tags (workaround)
@@ -171,7 +171,7 @@ jobs:
 
       - name: Login to Docker Hub (build)
         if: ${{ github.event.repository.full_name == 'lf-edge/eve' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         with:
           username: ${{ secrets.DOCKERHUB_PULL_USER }}
           password: ${{ secrets.DOCKERHUB_PULL_TOKEN }}
@@ -198,7 +198,7 @@ jobs:
           if [ -z "$SUCCESS" ]; then echo "::error::failed to build packages" && exit 1; fi
       - name: Login to Docker Hub (push)
         if: ${{ github.event.repository.full_name == 'lf-edge/eve' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         with:
           username: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
           password: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
@@ -267,7 +267,7 @@ jobs:
             platform: "evaluation"
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: Build EVE
@@ -303,7 +303,7 @@ jobs:
     needs: [packages-non-arm, packages-arm]
     runs-on: zededa-ubuntu-2204
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - uses: ./.github/actions/run-make
diff --git a/.github/workflows/request_codeowners_review.yml b/.github/workflows/request_codeowners_review.yml
@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ github.base_ref }}
           fetch-depth: 0
diff --git a/.github/workflows/rerun-ci.yml b/.github/workflows/rerun-ci.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Parse CODEOWNERS to get allowed users
         run: |
diff --git a/.github/workflows/spdx.yml b/.github/workflows/spdx.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           ref: ${{ github.base_ref }}
           fetch-depth: 0
diff --git a/.github/workflows/yetus.yml b/.github/workflows/yetus.yml
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           path: src
           fetch-depth: 0
@@ -40,7 +40,7 @@ jobs:
 
       - name: Store Yetus artifacts
         if: ${{ always() }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: 'yetus-scan'
           path: ${{ github.workspace }}/out
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
