diff --git a/.github/workflows/__greetings.yml b/.github/workflows/__greetings.yml
index 5af05c6..b5c2f1b 100644
--- a/.github/workflows/__greetings.yml
+++ b/.github/workflows/__greetings.yml
@@ -13,4 +13,4 @@ permissions:
 
 jobs:
   greetings:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml
index f107294..935e48a 100644
--- a/.github/workflows/__need-fix-to-issue.yml
+++ b/.github/workflows/__need-fix-to-issue.yml
@@ -20,7 +20,7 @@ permissions:
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}
diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
index 6613b6e..dde6342 100644
--- a/.github/workflows/__pull-request-ci.yml
+++ b/.github/workflows/__pull-request-ci.yml
@@ -6,6 +6,7 @@ on:
     branches: [main]
 
 permissions:
+  actions: read
   contents: read
   security-events: write
   statuses: write
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
index 84a0363..c9c05a0 100644
--- a/.github/workflows/__shared-ci.yml
+++ b/.github/workflows/__shared-ci.yml
@@ -4,6 +4,7 @@ on:
   workflow_call:
 
 permissions:
+  actions: read
   contents: read
   security-events: write
   statuses: write
@@ -12,7 +13,7 @@ permissions:
 
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
 
   test-action-dependencies-cache:
     name: Test action "dependencies-cache"
diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml
index dde23c4..f51172e 100644
--- a/.github/workflows/__stale.yml
+++ b/.github/workflows/__stale.yml
@@ -10,4 +10,4 @@ permissions:
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
diff --git a/.github/workflows/__test-workflow-continuous-integration.yml b/.github/workflows/__test-workflow-continuous-integration.yml
index 17e994b..ec89b68 100644
--- a/.github/workflows/__test-workflow-continuous-integration.yml
+++ b/.github/workflows/__test-workflow-continuous-integration.yml
@@ -25,7 +25,7 @@ jobs:
     needs: act
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build
           path: "/"
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 70191d5..6861cb1 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -66,11 +66,11 @@ jobs:
       security-events: write
     runs-on: "ubuntu-latest"
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
-      - uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
+      - uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
         with:
           languages: ${{ inputs.code-ql }}
-      - uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      - uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
 
   dependency-review:
     name: 🛡️ Dependency Review
@@ -79,7 +79,7 @@ jobs:
       contents: read
     runs-on: "ubuntu-latest"
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
       - uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0
 
   setup:
@@ -93,7 +93,7 @@ jobs:
       build-commands: ${{ steps.build-variables.outputs.commands }}
       build-artifact: ${{ steps.build-variables.outputs.artifact }}
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
 
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       # jscpd:ignore-start
@@ -168,7 +168,7 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
 
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       - id: oidc
@@ -204,7 +204,7 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
         if: needs.setup.outputs.build-commands
 
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
@@ -267,10 +267,10 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: hoverkraft-tech/ci-github-common/actions/checkout@abd5469ef96aaa3fa1508e2cbaa3e76734533e8a # 0.22.2
+      - uses: hoverkraft-tech/ci-github-common/actions/checkout@95664be4ec235bfc221c4356c7153cbab3fb8f93 # 0.22.3
 
       - if: needs.setup.outputs.build-artifact
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: build
           path: "/"