diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index f13bc860..cb55e73b 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -24,7 +24,7 @@ jobs:
       actions: read
       security-events: write
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@daa2c68f50d845057895a9c300e42478481c1d26" # v1.9.1
     with:
       # -r:
       # Recursively scan subdirectories
@@ -46,7 +46,7 @@ jobs:
       actions: read
       security-events: write
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@daa2c68f50d845057895a9c300e42478481c1d26" # v1.9.1
     with:
       # -r:
       # Recursively scan subdirectories
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
index f852ad62..a12080b6 100644
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@@ -34,7 +34,7 @@ jobs:
         with:
           toolchain: stable
       - name: Run release-plz release
-        uses: MarcoIeni/release-plz-action@2d634174257b7f46339e7533865a910743a0c5c9 # v0.5
+        uses: MarcoIeni/release-plz-action@db75300cf27adcd986d6f0cf4a72a4ffcc11dae5 # v0.5
         with:
           command: release
         env:
@@ -70,7 +70,7 @@ jobs:
         with:
           toolchain: stable
       - name: Run release-plz PR task
-        uses: MarcoIeni/release-plz-action@2d634174257b7f46339e7533865a910743a0c5c9 # v0.5
+        uses: MarcoIeni/release-plz-action@db75300cf27adcd986d6f0cf4a72a4ffcc11dae5 # v0.5
         with:
           command: release-pr
         env:
diff --git a/.github/workflows/rust.yaml b/.github/workflows/rust.yaml
index c2207a92..440b0565 100644
--- a/.github/workflows/rust.yaml
+++ b/.github/workflows/rust.yaml
@@ -32,7 +32,7 @@ jobs:
         with:
           toolchain: stable
           target: wasm32-wasi
-      - uses: taiki-e/install-action@c4bf614c2fb42375baf4f51283c33befce095fc5
+      - uses: taiki-e/install-action@68f28718b79cadeadb57e92fa0b1cfb0161dc473
         with:
           tool: wasmtime,cargo-wasi
       - env:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index dd72b283..a5075231 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -65,6 +65,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: results.sarif