diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
index f56414e2..c0ad86a3 100644
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@@ -17,7 +17,7 @@ jobs:
       images: ${{ steps.set-matrix.outputs.images }}
     steps:
       - name: Check out the source code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@v4.2.2
 
       - name: Set matrix
         id: set-matrix
@@ -30,7 +30,7 @@ jobs:
       images: ${{ steps.set-matrix.outputs.images }}
     steps:
       - name: Check out the source code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@v4.2.2
 
       - name: Set matrix
         id: set-matrix
@@ -49,7 +49,7 @@ jobs:
         image: ${{ fromJson(needs.prepare-base.outputs.images) }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
@@ -154,7 +154,7 @@ jobs:
       packages: write
     steps:
       - name: Check out the repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
@@ -199,7 +199,7 @@ jobs:
       packages: write
     steps:
       - name: Check out the repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
@@ -252,7 +252,7 @@ jobs:
         image: ${{ fromJson(needs.prepare-others.outputs.images) }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 891eaefb..87de3e44 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
       images: ${{ steps.set-matrix.outputs.images }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@v4.2.2
 
       - name: Set matrix
         id: set-matrix
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..caea65f1
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,45 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - trunk
+  pull_request:
+    branches:
+      - trunk
+  schedule:
+    - cron: '27 21 * * 0'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/features-auto.yml b/.github/workflows/features-auto.yml
index 2942c75b..3e2b822e 100644
--- a/.github/workflows/features-auto.yml
+++ b/.github/workflows/features-auto.yml
@@ -53,7 +53,7 @@ jobs:
             baseImage: mcr.microsoft.com/devcontainers/base:alpine
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: Install @devcontainers/cli
         run: npm install -g @devcontainers/cli
diff --git a/.github/workflows/features-global.yml b/.github/workflows/features-global.yml
index 1638b87a..32466bff 100644
--- a/.github/workflows/features-global.yml
+++ b/.github/workflows/features-global.yml
@@ -32,7 +32,7 @@ jobs:
           - php84-ubuntu-base
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: Install @devcontainers/cli
         run: npm install -g @devcontainers/cli
diff --git a/.github/workflows/features-scenarios.yml b/.github/workflows/features-scenarios.yml
index 8c8baee2..602a9550 100644
--- a/.github/workflows/features-scenarios.yml
+++ b/.github/workflows/features-scenarios.yml
@@ -58,7 +58,7 @@ jobs:
           - feature: wptl
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: Install @devcontainers/cli
         run: npm install -g @devcontainers/cli
diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index b711f30d..4f52d322 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -22,7 +22,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
   
       - name: Generate documentation
         uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1.4.3
diff --git a/.github/workflows/sanity-checks.yml b/.github/workflows/sanity-checks.yml
index 1756681a..b444bdcc 100644
--- a/.github/workflows/sanity-checks.yml
+++ b/.github/workflows/sanity-checks.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the source code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index c9432af6..a104a1f1 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: Add error matcher
         run: echo "::add-matcher::$(pwd)/.github/problem-matcher-gcc.json"
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index fb2ebff7..77262988 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: Validate devcontainer-feature.json files
         uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1.4.3