diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fb6784882..b8b1f1804 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -378,7 +378,7 @@ jobs:
           if-no-files-found: error
 
       - name: Attest
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@bd77c077858b8d561b7a36cbe48ef4cc642ca39d # v2.2.2
         if: |
           github.event_name != 'pull_request' &&
           (startsWith(github.ref, 'refs/heads/release/') ||
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index f113750ba..5b6542dfe 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -313,7 +313,7 @@ jobs:
           submodules: true
 
       - name: Setup
-        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
+        uses: msys2/setup-msys2@61f9e5e925871ba6c9e3e8da24ede83ea27fa91f # v2.27.0
         with:
           msystem: ${{ matrix.msystem }}
           update: true
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 841b5cfe8..98f15abed 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -31,7 +31,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # tag=v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif