diff --git a/.github/workflows/dev-publish.yml b/.github/workflows/dev-publish.yml
index 57676c28e5..db5903a5bd 100644
--- a/.github/workflows/dev-publish.yml
+++ b/.github/workflows/dev-publish.yml
@@ -124,7 +124,7 @@ jobs:
 
       # Uses the `docker/login-action` action to log in to the Container registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -132,7 +132,7 @@ jobs:
       # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -143,7 +143,7 @@ jobs:
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
         with:
           context: ./
           file: ./dcr/Dockerfile
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 9e24b46dd9..2f6bda1f93 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -34,7 +34,7 @@ jobs:
         run: npm i
 
       - name: Add additional deps
-        run: npm i @rollup/rollup-linux-x64-gnu@4.32.1
+        run: npm i @rollup/rollup-linux-x64-gnu@4.44.1
 
       - name: Build docs
         run: npm run docs:build
diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml
index 96da2d86cf..d17bf66e70 100644
--- a/.github/workflows/osv.yml
+++ b/.github/workflows/osv.yml
@@ -30,7 +30,7 @@ jobs:
       security-events: write
       contents: read
       actions: read
-    uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f' # v2.0.1
+    uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@40a8940a65eab1544a6af759e43d936201a131a2' # v2.0.3
     with:
       # Example of specifying custom arguments
       scan-args: |-
@@ -42,7 +42,7 @@ jobs:
       security-events: write
       contents: read
       actions: read
-    uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f' # v2.0.1
+    uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@40a8940a65eab1544a6af759e43d936201a131a2' # v2.0.3
     with:
       # Example of specifying custom arguments
       scan-args: |-
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 76d7355f07..1a3a03cb09 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -110,14 +110,14 @@ jobs:
         run: echo ZX_VERSION=$(jq -r '.version' package.json) >> $GITHUB_ENV
 
       - name: Log in to the Container registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -125,7 +125,7 @@ jobs:
             type=semver,pattern={{version}},value=v${{ env.ZX_VERSION }}
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
         with:
           context: ./
           file: ./dcr/Dockerfile
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 686408d186..4e77fae592 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -22,9 +22,9 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 #v5.4.2
+        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba #v6.3.1
         with:
           enable-cache: false
 
       - name: Run zizmor
-        run: uvx zizmor@1.6.0 .github/workflows -v -p --min-severity=medium
+        run: uvx zizmor@1.11.0 .github/workflows -v -p --min-severity=medium