diff --git a/.github/actions/bootstrap/action.yml b/.github/actions/bootstrap/action.yml
index 20daafa5..6fef58b0 100644
--- a/.github/actions/bootstrap/action.yml
+++ b/.github/actions/bootstrap/action.yml
@@ -28,4 +28,4 @@ runs:
     # See https://goreleaser.com/blog/supply-chain-security/
     - name: installs syft for generating the SBOM with goreleaser
       if: "${{ inputs.goreleaser == 'true' }}"
-      uses: anchore/sbom-action/download-syft@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
+      uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a0ece99d..3fd78e98 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -57,7 +57,7 @@ jobs:
         run: make release
 
       # Store artifacts to help with troubleshooting
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         if: always()
         with:
           name: release
@@ -65,7 +65,7 @@ jobs:
           retention-days: 5
 
       # Store artifacts to help with troubleshooting
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         if: always()
         with:
           name: aws
@@ -73,12 +73,12 @@ jobs:
           retention-days: 5
 
       - name: generate build provenance (binaries)
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-checksums: ./dist/checksums.txt
 
       - name: generate build provenance (docker images)
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-checksums: ./dist/digests.txt
 
diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml
index cbdefd9c..01f36360 100644
--- a/.github/workflows/smoke-tests.yml
+++ b/.github/workflows/smoke-tests.yml
@@ -39,7 +39,7 @@ jobs:
         uses: ./.github/actions/bootstrap
         with:
           goreleaser: 'true'
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
         with:
           terraform_version: 1.2.3
       - uses: elastic/oblt-actions/aws/auth@v1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 19585924..63434d1b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -58,7 +58,7 @@ jobs:
       - name: Build
         run: make build dist
 
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         if: always()
         with:
           name: snapshots
@@ -69,7 +69,7 @@ jobs:
       #       but only for binaries
       - name: generate build provenance (binaries)
         if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-checksums: ./dist/checksums.txt