diff --git a/.github/actions/ai-pr-review/action.yml b/.github/actions/ai-pr-review/action.yml
index ed063bd..4bb0fbf 100644
--- a/.github/actions/ai-pr-review/action.yml
+++ b/.github/actions/ai-pr-review/action.yml
@@ -95,7 +95,7 @@ runs:
 
     - name: Claude PR review
       if: steps.cfg.outputs.proceed == 'true' && inputs.provider == 'anthropic'
-      uses: anthropics/claude-code-action@38ec876110f9fbf8b950c79f534430740c3ac009 # v1.0.101
+      uses: anthropics/claude-code-action@f4fb5c6cdccc1ee7af63692f5d08d56efaa64cc8 # v1.0.121
       with:
         anthropic_api_key: ${{ inputs.anthropic-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via composite input, not a repo secret
         github_token: ${{ inputs.github-token }}
@@ -144,7 +144,7 @@ runs:
     - name: Codex PR review
       id: codex
       if: steps.cfg.outputs.proceed == 'true' && inputs.provider == 'openai'
-      uses: openai/codex-action@c25d10f3f498316d4b2496cc4c6dd58057a7b031 # v1.6
+      uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1 # v1.8
       with:
         openai-api-key: ${{ inputs.openai-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via composite input, not a repo secret
         model: ${{ steps.cfg.outputs.model }}
diff --git a/.github/actions/ci-notify-nightly-tests/action.yml b/.github/actions/ci-notify-nightly-tests/action.yml
index 5cd8941..cbfa7bf 100644
--- a/.github/actions/ci-notify-nightly-tests/action.yml
+++ b/.github/actions/ci-notify-nightly-tests/action.yml
@@ -31,7 +31,7 @@ runs:
   using: "composite"
   steps:
     - name: Post E2E test results notification
-      uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95  # v3.0.1
+      uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c  # v3.0.3
       with:
         errors: true
         webhook-type: incoming-webhook
diff --git a/.github/actions/ci-test-notify/action.yml b/.github/actions/ci-test-notify/action.yml
index 3059196..be4f4f2 100644
--- a/.github/actions/ci-test-notify/action.yml
+++ b/.github/actions/ci-test-notify/action.yml
@@ -42,7 +42,7 @@ runs:
 
     - name: Send Slack notification
       if: inputs.webhook-url != ''
-      uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+      uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
       with:
         errors: true
         webhook-type: incoming-webhook
diff --git a/.github/actions/release-notification/action.yml b/.github/actions/release-notification/action.yml
index fb4d583..a29b5ad 100644
--- a/.github/actions/release-notification/action.yml
+++ b/.github/actions/release-notification/action.yml
@@ -64,7 +64,7 @@ runs:
         echo "base_branch=$BRANCH" >> "$GITHUB_OUTPUT"
     - name: Post release notification
       if: inputs.status == 'success'
-      uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95  # v3.0.1
+      uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c  # v3.0.3
       with:
         errors: true
         webhook-type: incoming-webhook
@@ -113,7 +113,7 @@ runs:
         esac
     - name: Post release failure notification
       if: inputs.status != 'success'
-      uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95  # v3.0.1
+      uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c  # v3.0.3
       with:
         errors: true
         webhook-type: incoming-webhook
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ba42804..ab65c90 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,7 +13,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
-    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@4207288daf055fa396f57e248dd3c5657c32c65b # validate-renovate/v1
+    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@53686d2452bc48398252887a37ad248c38a7f1eb # validate-renovate/v1
 
   actionlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/claude-code-review.yaml b/.github/workflows/claude-code-review.yaml
index 1b1b3d2..d76b64e 100644
--- a/.github/workflows/claude-code-review.yaml
+++ b/.github/workflows/claude-code-review.yaml
@@ -51,7 +51,7 @@ jobs:
           git checkout -B "${PR_HEAD_REF}" "origin/${PR_HEAD_REF}"
 
       - name: Claude Code Review
-        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # v1
+        uses: anthropics/claude-code-action@f4fb5c6cdccc1ee7af63692f5d08d56efaa64cc8 # v1
         with:
           anthropic_api_key: ${{ secrets.anthropic-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via workflow_call, not a repo secret
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/claude.yaml b/.github/workflows/claude.yaml
index 31bc384..a19dbcb 100644
--- a/.github/workflows/claude.yaml
+++ b/.github/workflows/claude.yaml
@@ -27,6 +27,6 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # v1
+        uses: anthropics/claude-code-action@f4fb5c6cdccc1ee7af63692f5d08d56efaa64cc8 # v1
         with:
           anthropic_api_key: ${{ secrets.anthropic-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via workflow_call, not a repo secret
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 9011a6c..790362f 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -33,7 +33,7 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # v1
+        uses: anthropics/claude-code-action@f4fb5c6cdccc1ee7af63692f5d08d56efaa64cc8 # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # zizmor: ignore[secrets-outside-env] -- OAuth token for Claude, no dedicated environment needed
 
diff --git a/.github/workflows/cleanup-backport-branches.yaml b/.github/workflows/cleanup-backport-branches.yaml
index 92326ca..6f609d3 100644
--- a/.github/workflows/cleanup-backport-branches.yaml
+++ b/.github/workflows/cleanup-backport-branches.yaml
@@ -20,7 +20,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: fpicalausa/remove-stale-branches@7c4f2afe88a36c0f9114cd958380979b9d7323fb # v2.4.0
+      - uses: fpicalausa/remove-stale-branches@9b829bc2975ade0c61e64e9613def53ec0732440 # v2.6.1
         with:
           github-token: ${{ secrets.gh-access-token }} # zizmor: ignore[secrets-outside-env] -- PAT passed via workflow_call, not a repo secret
           dry-run: ${{ inputs.dry-run }}
diff --git a/.github/workflows/test-semver-validation.yaml b/.github/workflows/test-semver-validation.yaml
index ce45452..93ad14a 100644
--- a/.github/workflows/test-semver-validation.yaml
+++ b/.github/workflows/test-semver-validation.yaml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: '24'
       - run: npm ci