diff --git a/.github/workflows/add_issue_to_project.yaml b/.github/workflows/add_issue_to_project.yaml
index cf539c847..09faf705e 100644
--- a/.github/workflows/add_issue_to_project.yaml
+++ b/.github/workflows/add_issue_to_project.yaml
@@ -8,7 +8,7 @@ jobs:
     name: Add issue to Updatecli project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+      - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
         with:
           project-url: https://github.com/orgs/updatecli/projects/2
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 39724d8bd..c2c901e26 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -9,18 +9,18 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Use Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
       - name: Install Hugo
-        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
+        uses: peaceiris/actions-hugo@2752ce1d29631191ea3f27c23495fa06139a5b78 # v3.2.1
         with:
           hugo-version: 0.162.1
           extended: true
       - name: Install Bundler
-        uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: 2.7
           bundler-cache: true
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b9e6681a4..bfb5f89af 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,10 +28,10 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -41,7 +41,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       #- run: |
       #   make bootstrap
       #   make release
@@ -52,4 +52,4 @@ jobs:
         # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
         #    and modify them (or add more) to build your code if your project
         #    uses a compiled language
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
diff --git a/.github/workflows/typos.yaml b/.github/workflows/typos.yaml
index 55269f4eb..7d227c89b 100644
--- a/.github/workflows/typos.yaml
+++ b/.github/workflows/typos.yaml
@@ -1,13 +1,10 @@
 name: Spell check with typos
-
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["**"]
-
 permissions: {}
-
 jobs:
   typos:
     runs-on: ubuntu-latest
@@ -15,10 +12,8 @@ jobs:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
-
       - name: Run typos
-        uses: crate-ci/typos@f8a58b6b53f2279f71eb605f03a4ae4d10608f45 # v1.47.0
-
+        uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2
diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml
index e22e26711..bead44d73 100644
--- a/.github/workflows/updatecli.yaml
+++ b/.github/workflows/updatecli.yaml
@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persistent-credentials: false
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@2c3221bc5f4499a99fec2c87d9de4a83cb30e990" # v3.1.3
+        uses: "updatecli/updatecli-action@5bda7da77bf4d181bce5f807d73d832b62062acf" # v3.3.0
         with:
           version: "v0.117.1"
       - name: "Run updatecli"
diff --git a/.github/workflows/updatecli_release.yaml b/.github/workflows/updatecli_release.yaml
index 2dddcbee6..fe4d4f754 100644
--- a/.github/workflows/updatecli_release.yaml
+++ b/.github/workflows/updatecli_release.yaml
@@ -28,19 +28,17 @@ jobs:
             apply_args: "--labels=release:updatecli"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persist-credentials: false
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@e71be7554f3f940bc439cf720b3e4e379823c562" # v3.2.0
+        uses: "updatecli/updatecli-action@5bda7da77bf4d181bce5f807d73d832b62062acf" # v3.3.0
         with:
           version: "v0.117.1"
-
       # releasepost is required by the Updatecli
       #   * policy ghcr.io/updatecli/policies/releasepost/releasepost
       - name: "Install Releasepost"
         uses: "updatecli/releasepost-action@864390bddae97db06ee881ab4a08d159b4464643" # v0.5.0
-          
       - name: "Run updatecli"
         run: updatecli compose apply --clean-git-branches=true ${{ matrix.apply_args }} --experimental
         env:
diff --git a/.github/workflows/updatecli_test.yaml b/.github/workflows/updatecli_test.yaml
index 5097f1313..f1e3ffce3 100644
--- a/.github/workflows/updatecli_test.yaml
+++ b/.github/workflows/updatecli_test.yaml
@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persist-credentials: false
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@2c3221bc5f4499a99fec2c87d9de4a83cb30e990" # v3.1.3
+        uses: "updatecli/updatecli-action@5bda7da77bf4d181bce5f807d73d832b62062acf" # v3.3.0
         with:
           version: "v0.117.1"
       - name: "Test updatecli in dry-run mode"
diff --git a/.github/workflows/updatecli_update.yaml b/.github/workflows/updatecli_update.yaml
index acbddd732..95ed31993 100644
--- a/.github/workflows/updatecli_update.yaml
+++ b/.github/workflows/updatecli_update.yaml
@@ -23,11 +23,11 @@ jobs:
             apply_args: "--existing-only=true"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persist-credentials: false
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@e71be7554f3f940bc439cf720b3e4e379823c562" # v3.2.0
+        uses: "updatecli/updatecli-action@5bda7da77bf4d181bce5f807d73d832b62062acf" # v3.3.0
         with:
           version: "v0.117.1"
       - name: "Run updatecli"
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index 1045e1fdf..e52b8a19d 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -1,13 +1,10 @@
-name: GitHub Actions Security Analysis with zizmor 🌈
-
+name: "GitHub Actions Security Analysis with zizmor \U0001F308"
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["**"]
-
 permissions: {}
-
 jobs:
   zizmor:
     runs-on: ubuntu-latest
@@ -15,12 +12,11 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
-
-      - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+      - name: "Run zizmor \U0001F308"
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
           # intentionally not scanning the entire repository,
           inputs: ./.github/