diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index fc378f41..df2c2bd6 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Use Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
       - name: Install Hugo
@@ -20,7 +20,7 @@ jobs:
           hugo-version: 0.160.1
           extended: true
       - name: Install Bundler
-        uses: ruby/setup-ruby@e65c17d16e57e481586a6a5a0282698790062f92 # v1
+        uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1
         with:
           ruby-version: 2.7
           bundler-cache: true
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 31004bd2..b9e6681a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -31,7 +31,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -41,7 +41,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
       #- run: |
       #   make bootstrap
       #   make release
@@ -52,4 +52,4 @@ jobs:
         # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
         #    and modify them (or add more) to build your code if your project
         #    uses a compiled language
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
diff --git a/.github/workflows/typos.yaml b/.github/workflows/typos.yaml
index c3844b84..fb8cd65b 100644
--- a/.github/workflows/typos.yaml
+++ b/.github/workflows/typos.yaml
@@ -11,4 +11,4 @@ jobs:
       - name: Checkout Actions Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check spelling of file.txt
-        uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d # v1.45.0
+        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1
diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml
index 486415c9..3acbee64 100644
--- a/.github/workflows/updatecli.yaml
+++ b/.github/workflows/updatecli.yaml
@@ -6,9 +6,7 @@ on:
   schedule:
     # Run at 12:00 every Saterday every 14 days
     - cron: "0 12 */14 * *"
-
 permissions: {}
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
@@ -17,12 +15,10 @@ jobs:
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           persistent-credentials: false
-
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@3e2cbfd2d4bec97ce3ec7155da54ddf599893026" # v3.1.0
+        uses: "updatecli/updatecli-action@af341a800cdbcde3ddcebb7a62410ac06a78a207" # v3.1.2
         with:
           version: "v0.116.0"
-
       - name: "Run updatecli"
         run: updatecli compose apply --clean-git-branches=true --experimental
         env:
diff --git a/.github/workflows/updatecli_release.yaml b/.github/workflows/updatecli_release.yaml
index a49e0231..4ac427e0 100644
--- a/.github/workflows/updatecli_release.yaml
+++ b/.github/workflows/updatecli_release.yaml
@@ -9,9 +9,7 @@ on:
   repository_dispatch:
     types:
       - "updatecli-release"
-
 permissions: {}
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
@@ -23,17 +21,14 @@ jobs:
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           persist-credentials: false
-
       - name: "Install Updatecli"
-        uses: "updatecli/updatecli-action@3e2cbfd2d4bec97ce3ec7155da54ddf599893026" # v3.1.0
+        uses: "updatecli/updatecli-action@af341a800cdbcde3ddcebb7a62410ac06a78a207" # v3.1.2
         with:
           version: "v0.116.0"
-
       # releasepost is required by the Updatecli
       #   * policy ghcr.io/updatecli/policies/releasepost/releasepost
       - name: "Install Releasepost"
         uses: "updatecli/releasepost-action@864390bddae97db06ee881ab4a08d159b4464643" # v0.5.0
-
       - name: "Run updatecli only on release pipelines"
         run: updatecli compose apply --clean-git-branches=true --labels="release:updatecli" --experimental
         env:
@@ -43,7 +38,6 @@ jobs:
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
-
       - name: "Run updatecli"
         run: "updatecli compose apply --file updatecli-compose-release.yaml --experimental"
         env:
diff --git a/.github/workflows/updatecli_test.yaml b/.github/workflows/updatecli_test.yaml
index e596b825..7d559f62 100644
--- a/.github/workflows/updatecli_test.yaml
+++ b/.github/workflows/updatecli_test.yaml
@@ -1,10 +1,8 @@
 name: Updatecli Test
 on:
   pull_request:
-
 permissions:
   contents: read
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
@@ -13,12 +11,10 @@ jobs:
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           persist-credentials: false
-
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@3e2cbfd2d4bec97ce3ec7155da54ddf599893026" # v3.1.0
+        uses: "updatecli/updatecli-action@af341a800cdbcde3ddcebb7a62410ac06a78a207" # v3.1.2
         with:
           version: "v0.116.0"
-
       - name: "Test updatecli in dry-run mode"
         run: "updatecli compose diff --experimental"
         env:
diff --git a/.github/workflows/updatecli_update.yaml b/.github/workflows/updatecli_update.yaml
index b089b3a7..56a6980a 100644
--- a/.github/workflows/updatecli_update.yaml
+++ b/.github/workflows/updatecli_update.yaml
@@ -5,9 +5,7 @@ on:
   push:
     branches:
       - master
-
 permissions: {}
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
@@ -16,12 +14,10 @@ jobs:
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           persist-credentials: false
-
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@3e2cbfd2d4bec97ce3ec7155da54ddf599893026" # v3.1.0
+        uses: "updatecli/updatecli-action@af341a800cdbcde3ddcebb7a62410ac06a78a207" # v3.1.2
         with:
           version: "v0.116.0"
-
       - name: "Run updatecli only on monitored pipelines"
         run: updatecli compose apply --clean-git-branches=true --labels="monitor:active" --experimental
         env:
@@ -31,7 +27,6 @@ jobs:
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
-
       - name: "Run updatecli only on existing pipelines"
         run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
         env: