diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f476de6..5700308 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
           fetch-depth: 0
 
       # Installs the tool versions pinned in mise.toml (bun, node)
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
 
       - name: Install dependencies
         run: bun install --frozen-lockfile
@@ -40,7 +40,7 @@ jobs:
         run: bun run build
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         with:
           files: coverage/lcov.info
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -50,6 +50,6 @@ jobs:
         # Skipped until the SONAR_TOKEN secret is configured
         # (secrets aren't readable in step `if`, so check via env)
         if: ${{ env.SONAR_TOKEN != '' }}
-        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0
+        uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0
         env:
           SONAR_HOST_URL: https://sonarcloud.io
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f474641..070f616 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,7 +44,7 @@ jobs:
 
       # Installs the tool versions pinned in mise.toml (bun + node, which
       # provides the npm CLI used to publish).
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
 
       - name: Install dependencies
         run: bun install --frozen-lockfile