diff --git a/.github/workflows/auto-update-templates.yml b/.github/workflows/auto-update-templates.yml
index f4ea741..464d16e 100644
--- a/.github/workflows/auto-update-templates.yml
+++ b/.github/workflows/auto-update-templates.yml
@@ -45,7 +45,7 @@ jobs:
           pinact run -update "${files[@]}"
 
       - name: Open PR with updates
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           commit-message: "ci: Auto-update pinned actions in workflow-templates"
           title: "ci: Auto-update pinned actions in workflow-templates"
diff --git a/.github/workflows/docker-image-vulnerability-process.yml b/.github/workflows/docker-image-vulnerability-process.yml
index 0d53e74..2236128 100644
--- a/.github/workflows/docker-image-vulnerability-process.yml
+++ b/.github/workflows/docker-image-vulnerability-process.yml
@@ -84,7 +84,7 @@ jobs:
       
       - name: Download Docker image from tarball
         if: ${{ inputs.trivyMode == 'tarball' }}
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ${{ inputs.imageTarName }}
           path: './${{ inputs.imageTarName }}'
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index 8adcb9d..1bc7773 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -77,7 +77,7 @@ jobs:
         dockerTar: ${{ env.DOCKER_TAR }}
 
     - name: Docker Login
-      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
       with:
         registry: ${{ env.PACKAGE_SERVER }}
         username: $GITHUB_ACTOR