diff --git a/.github/workflows/_dist.yml b/.github/workflows/_dist.yml
index 3d120339..5be42514 100644
--- a/.github/workflows/_dist.yml
+++ b/.github/workflows/_dist.yml
@@ -7,7 +7,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           # Need this to get version number from last tag
           fetch-depth: 0
diff --git a/.github/workflows/_docs.yml b/.github/workflows/_docs.yml
index 24fa4166..af15204f 100644
--- a/.github/workflows/_docs.yml
+++ b/.github/workflows/_docs.yml
@@ -11,7 +11,7 @@ jobs:
         run: sleep 60
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           # Need this to get version number from last tag
           fetch-depth: 0
@@ -48,7 +48,7 @@ jobs:
         if: github.ref_type == 'tag' || github.ref_name == 'main'
         # We pin to the SHA, not the tag, for security reasons.
         # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
+        uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: .github/pages
diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml
index eeeedb03..6d12149c 100644
--- a/.github/workflows/_release.yml
+++ b/.github/workflows/_release.yml
@@ -21,7 +21,7 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           # Need this to get version number from last tag
           fetch-depth: 0
@@ -36,7 +36,7 @@ jobs:
       - name: Create GitHub Release
         # We pin to the SHA, not the tag, for security reasons.
         # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
         with:
           prerelease: ${{ contains(github.ref_name, 'a') || contains(github.ref_name, 'b') || contains(github.ref_name, 'rc') }}
           files: |
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
index 41cb8bb0..1d9e3ba2 100644
--- a/.github/workflows/_test.yml
+++ b/.github/workflows/_test.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           # Need this to get version number from last tag
           fetch-depth: 0
@@ -37,7 +37,7 @@ jobs:
         run: uv run --locked tox -e tests
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@v7
         with:
           name: ${{ inputs.python-version }}/${{ inputs.runs-on }}
           files: cov.xml
diff --git a/.github/workflows/_tox.yml b/.github/workflows/_tox.yml
index a8f5ad7a..d6b1131c 100644
--- a/.github/workflows/_tox.yml
+++ b/.github/workflows/_tox.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7