diff --git a/.github/workflows/attach-binaries-to-release.yml b/.github/workflows/attach-binaries-to-release.yml
index 7fdc8e524e..f9e9d95b52 100644
--- a/.github/workflows/attach-binaries-to-release.yml
+++ b/.github/workflows/attach-binaries-to-release.yml
@@ -221,7 +221,7 @@ jobs:
             ./tmp/walrus-${{ env.walrus_tag }}-${{ env.os_type }}.tgz
 
       - name: Attach artifacts to ${{ env.walrus_tag }} release in GH
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # pin@v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # pin@v2.6.1
         with:
           tag_name: ${{ env.walrus_tag }}
           files: |
diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml
index 8cba548359..6f8144653f 100644
--- a/.github/workflows/code.yml
+++ b/.github/workflows/code.yml
@@ -206,7 +206,7 @@ jobs:
 
       - name: Restore cached sui binary
         id: cache-sui-restore
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # pin@v5.0.3
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # pin@v5.0.4
         with:
           path: ${{ env.SUI_BIN }}
           key: ${{ runner.os }}-${{ runner.arch }}-${{ env.SUI_TAG }}
@@ -225,7 +225,7 @@ jobs:
         run: bash ./scripts/move_tests.sh
       - name: Cache sui binary
         if: ${{ github.ref == 'refs/heads/main' && steps.cache-sui-restore.outputs.cache-hit != 'true' }}
-        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # pin@v5.0.3
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # pin@v5.0.4
         with:
           path: ${{ env.SUI_BIN }}
           key: ${{ steps.cache-sui-restore.outputs.cache-primary-key }}
diff --git a/.github/workflows/gen-sui-upgrade-version-pr.yml b/.github/workflows/gen-sui-upgrade-version-pr.yml
index 0b1ba1bc05..cd4758d19d 100644
--- a/.github/workflows/gen-sui-upgrade-version-pr.yml
+++ b/.github/workflows/gen-sui-upgrade-version-pr.yml
@@ -78,7 +78,7 @@ jobs:
 
       - name: Generate automerge token
         id: automerge_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # pin@v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # pin@v3.0.0
         with:
           app-id: ${{ secrets.WALRUS_AUTOMERGE_APP_ID }}
           private-key: ${{ secrets.WALRUS_AUTOMERGE_PRIVATE_KEY }}
diff --git a/.github/workflows/notify-walrus-sites.yml b/.github/workflows/notify-walrus-sites.yml
index 9997714137..6cd7cba4b4 100644
--- a/.github/workflows/notify-walrus-sites.yml
+++ b/.github/workflows/notify-walrus-sites.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Generate app token for cross-repo dispatch
         id: app_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # pin@v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # pin@v3.0.0
         with:
           app-id: ${{ secrets.WALRUS_AUTOMERGE_APP_ID }}
           private-key: ${{ secrets.WALRUS_AUTOMERGE_PRIVATE_KEY }}
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index f21d5bb9b1..a7cf23457f 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -108,7 +108,7 @@ jobs:
       - name: Generate automerge token
         if: inputs.delivery == 'pr'
         id: automerge_token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # pin@v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # pin@v3.0.0
         with:
           app-id: ${{ secrets.WALRUS_AUTOMERGE_APP_ID }}
           private-key: ${{ secrets.WALRUS_AUTOMERGE_PRIVATE_KEY }}