diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4bf5250878f8..dcd4f180171c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -63,7 +63,7 @@ jobs:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        uses: github/codeql-action/init@42213152a85ae7569bdb6bec7bcd74cd691bfe41 # v3.30.9
         with:
           languages: ${{ matrix.language }}
           # using "linked" helps to keep up with the linked Kotlin support
@@ -84,6 +84,6 @@ jobs:
           --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        uses: github/codeql-action/analyze@42213152a85ae7569bdb6bec7bcd74cd691bfe41 # v3.30.9
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
index e99a4c1e0aed..aeb0d6f0b48d 100644
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        uses: github/codeql-action/upload-sarif@42213152a85ae7569bdb6bec7bcd74cd691bfe41 # v3.30.9
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/pr-automation-comments.yml b/.github/workflows/pr-automation-comments.yml
index 461e2f5c3167..c37e1d6d69c0 100644
--- a/.github/workflows/pr-automation-comments.yml
+++ b/.github/workflows/pr-automation-comments.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Comment on PR
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             const { data: comments } = await github.rest.issues.listComments({
@@ -64,7 +64,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Comment on PR
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             const { data: comments } = await github.rest.issues.listComments({
diff --git a/benchmark-overhead/Dockerfile.petclinic b/benchmark-overhead/Dockerfile.petclinic
index b59226ad4acc..d29b5d403174 100644
--- a/benchmark-overhead/Dockerfile.petclinic
+++ b/benchmark-overhead/Dockerfile.petclinic
@@ -1,4 +1,4 @@
-FROM eclipse-temurin:11.0.28_6-jdk@sha256:28d7b8bf8420d0a6fcb5eb5c0fbe0cb51e8a71635c2eabbba1b13fcd83c63ac7 as app-build
+FROM eclipse-temurin:11.0.28_6-jdk@sha256:ed9802af79941c6e0c0442445c8c51e754c1fc1d0a78b6072d6707b918f404ba as app-build
 
 # This is the base image that will contain a built version of the spring-petclinic-rest
 # application. Installing the dependencies and maven compiling the application is time
diff --git a/smoke-tests/images/early-jdk8/Dockerfile b/smoke-tests/images/early-jdk8/Dockerfile
index 4b1424408d63..7bcc65fa8e65 100644
--- a/smoke-tests/images/early-jdk8/Dockerfile
+++ b/smoke-tests/images/early-jdk8/Dockerfile
@@ -1,5 +1,5 @@
 # https://github.com/zulu-openjdk/zulu-openjdk/blob/master/ubuntu/8u412-8.78/Dockerfile
-FROM ubuntu:noble-20251001@sha256:c088e23bdf7b8b339bd38150d130d17e5f6ee016f3c422755bdb1da919c2ff32
+FROM ubuntu:noble-20251001@sha256:66460d557b25769b102175144d538d88219c077c678a49af4afca6fbfc1b5252
 
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
diff --git a/smoke-tests/images/fake-backend/src/docker/backend/windows.dockerfile b/smoke-tests/images/fake-backend/src/docker/backend/windows.dockerfile
index 782a6afd7ad2..c50df5e28fb7 100644
--- a/smoke-tests/images/fake-backend/src/docker/backend/windows.dockerfile
+++ b/smoke-tests/images/fake-backend/src/docker/backend/windows.dockerfile
@@ -1,3 +1,3 @@
-FROM eclipse-temurin:21.0.8_9-jdk-windowsservercore-ltsc2022@sha256:cb9b993b611e1a3201860d97bcfa92a1a1004bf97ce69685863d50945a7fd547
+FROM eclipse-temurin:21.0.8_9-jdk-windowsservercore-ltsc2022@sha256:b5f3c18f0235658f400cb75ab69c650eb3f8c03aa12135759dffdf7f67836dc5
 COPY fake-backend.jar /fake-backend.jar
 CMD ["java", "-jar", "/fake-backend.jar"]
diff --git a/smoke-tests/images/servlet/src/jetty.windows.dockerfile b/smoke-tests/images/servlet/src/jetty.windows.dockerfile
index a70b1877a99a..4d3ee17164f2 100644
--- a/smoke-tests/images/servlet/src/jetty.windows.dockerfile
+++ b/smoke-tests/images/servlet/src/jetty.windows.dockerfile
@@ -1,7 +1,7 @@
 ARG jdkImage
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:92659de869382c14a0276a5e93215d88cb182dc22f1ff3ada1f1b68b8648f3b2 as builder
+FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:418d8d0c6e026e5131e48f4d71ca66e9564c31b50f02b740235d32145a55c6ea as builder
 ARG sourceVersion
 
 ADD https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${sourceVersion}/jetty-home-${sourceVersion}.zip /server.zip
diff --git a/smoke-tests/images/servlet/src/liberty.windows.dockerfile b/smoke-tests/images/servlet/src/liberty.windows.dockerfile
index 0b54ef4b3741..8250b9e7bb4c 100644
--- a/smoke-tests/images/servlet/src/liberty.windows.dockerfile
+++ b/smoke-tests/images/servlet/src/liberty.windows.dockerfile
@@ -1,7 +1,7 @@
 ARG jdkImage
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:92659de869382c14a0276a5e93215d88cb182dc22f1ff3ada1f1b68b8648f3b2 as builder
+FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:418d8d0c6e026e5131e48f4d71ca66e9564c31b50f02b740235d32145a55c6ea as builder
 ARG version
 ARG release
 
diff --git a/smoke-tests/images/servlet/src/payara.windows.dockerfile b/smoke-tests/images/servlet/src/payara.windows.dockerfile
index 47307e955564..e4aee283536d 100644
--- a/smoke-tests/images/servlet/src/payara.windows.dockerfile
+++ b/smoke-tests/images/servlet/src/payara.windows.dockerfile
@@ -1,7 +1,7 @@
 ARG jdkImage
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:92659de869382c14a0276a5e93215d88cb182dc22f1ff3ada1f1b68b8648f3b2 as builder
+FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:418d8d0c6e026e5131e48f4d71ca66e9564c31b50f02b740235d32145a55c6ea as builder
 ARG version
 
 ADD https://nexus.payara.fish/repository/payara-community/fish/payara/distributions/payara/${version}/payara-${version}.zip /server.zip
diff --git a/smoke-tests/images/servlet/src/tomcat.windows.dockerfile b/smoke-tests/images/servlet/src/tomcat.windows.dockerfile
index 9b5f80e4d3d7..426fe7c9c11d 100644
--- a/smoke-tests/images/servlet/src/tomcat.windows.dockerfile
+++ b/smoke-tests/images/servlet/src/tomcat.windows.dockerfile
@@ -1,7 +1,7 @@
 ARG jdkImage
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:92659de869382c14a0276a5e93215d88cb182dc22f1ff3ada1f1b68b8648f3b2 as builder
+FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:418d8d0c6e026e5131e48f4d71ca66e9564c31b50f02b740235d32145a55c6ea as builder
 ARG majorVersion
 ARG version
 
diff --git a/smoke-tests/images/servlet/src/tomee.windows.dockerfile b/smoke-tests/images/servlet/src/tomee.windows.dockerfile
index bbf4cf735d20..729285649862 100644
--- a/smoke-tests/images/servlet/src/tomee.windows.dockerfile
+++ b/smoke-tests/images/servlet/src/tomee.windows.dockerfile
@@ -1,7 +1,7 @@
 ARG jdkImage
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:92659de869382c14a0276a5e93215d88cb182dc22f1ff3ada1f1b68b8648f3b2 as builder
+FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:418d8d0c6e026e5131e48f4d71ca66e9564c31b50f02b740235d32145a55c6ea as builder
 ARG version
 
 ADD https://archive.apache.org/dist/tomee/tomee-${version}/apache-tomee-${version}-webprofile.zip /server.zip
diff --git a/smoke-tests/images/servlet/src/wildfly.windows.dockerfile b/smoke-tests/images/servlet/src/wildfly.windows.dockerfile
index 2528710056f4..4a11cd40f1c3 100644
--- a/smoke-tests/images/servlet/src/wildfly.windows.dockerfile
+++ b/smoke-tests/images/servlet/src/wildfly.windows.dockerfile
@@ -1,7 +1,7 @@
 ARG jdkImage
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:92659de869382c14a0276a5e93215d88cb182dc22f1ff3ada1f1b68b8648f3b2 as builder
+FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:418d8d0c6e026e5131e48f4d71ca66e9564c31b50f02b740235d32145a55c6ea as builder
 ARG version
 ARG baseDownloadUrl