diff --git a/.github/workflows/arch.yaml b/.github/workflows/arch.yaml
index d585287..8b4010d 100644
--- a/.github/workflows/arch.yaml
+++ b/.github/workflows/arch.yaml
@@ -194,7 +194,7 @@ jobs:
 
             - name: Setup Cosign
               if: startsWith(github.ref, 'refs/tags/')
-              uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
             - name: Login to ghcr.io
               if: startsWith(github.ref, 'refs/tags/')
diff --git a/.github/workflows/fedora.yaml b/.github/workflows/fedora.yaml
index 72a64ba..fc524ee 100644
--- a/.github/workflows/fedora.yaml
+++ b/.github/workflows/fedora.yaml
@@ -181,7 +181,7 @@ jobs:
 
             - name: Setup Cosign
               if: startsWith(github.ref, 'refs/tags/')
-              uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
             - name: Login to ghcr.io
               if: startsWith(github.ref, 'refs/tags/')
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 8f9f16f..4c34d14 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml
index b32b7c8..3d9a8e1 100644
--- a/.github/workflows/ubuntu.yaml
+++ b/.github/workflows/ubuntu.yaml
@@ -166,7 +166,7 @@ jobs:
 
             - name: Setup Cosign
               if: startsWith(github.ref, 'refs/tags/')
-              uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
             - name: Login to ghcr.io
               if: startsWith(github.ref, 'refs/tags/')