diff --git a/template/.github/workflows/scorecard.yml.jinja b/template/.github/workflows/scorecard.yml.jinja
index 5d78b0b..b5dfedf 100644
--- a/template/.github/workflows/scorecard.yml.jinja
+++ b/template/.github/workflows/scorecard.yml.jinja
@@ -77,7 +77,7 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
         with:
           sarif_file: results.sarif
 {%- endraw %}
diff --git a/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %} b/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %}
index 3af501a..cebfe92 100644
--- a/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %}	
+++ b/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %}	
@@ -21,7 +21,7 @@ jobs:
         run: |
           pixi update --json --no-install | pixi exec pixi-diff-to-markdown >> diff.md
       - name: Create pull request
-        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update pixi lockfile