diff --git a/.github/actions/setup-python-poetry/action.yml b/.github/actions/setup-python-poetry/action.yml
index ff291b18a3a..cb2e7251088 100644
--- a/.github/actions/setup-python-poetry/action.yml
+++ b/.github/actions/setup-python-poetry/action.yml
@@ -41,7 +41,7 @@ runs:
         echo "${APPDATA}\.poetry\bin" >> "$GITHUB_PATH"
 
     - name: Install python
-      uses: actions/setup-python@29a37be0a3d3e8bf5bc1eb19cd0502922f5b312a  # pin v5.2.0
+      uses: actions/setup-python@70dcb22d269dc9546a5d97f4b11548f130526421  # pin v5.2.0
       id: setup-python
       with:
         python-version-file: ${{ inputs.project-path }}/pyproject.toml
diff --git a/.github/workflows/ci-python.yml b/.github/workflows/ci-python.yml
index 67de693ca4f..e69c0abf79c 100644
--- a/.github/workflows/ci-python.yml
+++ b/.github/workflows/ci-python.yml
@@ -134,7 +134,7 @@ jobs:
         timeout-minutes: 2
 
       - name: Setup Rust toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # pin v1.9.0
+        uses: actions-rust-lang/setup-rust-toolchain@4d1965c9142484e48d40c19de54b5cba84953a06 # pin v1.10.0
         if: steps.cache-libparsec.outputs.cache-hit != 'true'
         with:
           # We setup the cache by hand, see below
diff --git a/.github/workflows/ci-rust.yml b/.github/workflows/ci-rust.yml
index e1e7e42a544..92e00423437 100644
--- a/.github/workflows/ci-rust.yml
+++ b/.github/workflows/ci-rust.yml
@@ -75,7 +75,7 @@ jobs:
         uses: ./.github/actions/system-info
         timeout-minutes: 1
 
-      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # pin v1.9.0
+      - uses: actions-rust-lang/setup-rust-toolchain@4d1965c9142484e48d40c19de54b5cba84953a06 # pin v1.10.0
         with:
           # We setup the cache by hand, see below
           cache: false
@@ -102,7 +102,7 @@ jobs:
         timeout-minutes: 5
 
       # Install cargo nextest command
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: nextest@0.9.54, wasm-pack@0.12.1, cargo-deny@0.15.0
 
@@ -220,7 +220,7 @@ jobs:
         uses: ./.github/actions/system-info
         timeout-minutes: 1
 
-      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # pin v1.9.0
+      - uses: actions-rust-lang/setup-rust-toolchain@4d1965c9142484e48d40c19de54b5cba84953a06 # pin v1.10.0
         with:
           # We setup the cache by hand, see below
           cache: false
@@ -262,7 +262,7 @@ jobs:
         timeout-minutes: 5
 
       # Install cargo nextest command
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: nextest@0.9.54
 
diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml
index 7d4b002d53c..332a38ad0e4 100644
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -48,7 +48,7 @@ jobs:
         uses: ./.github/actions/system-info
         timeout-minutes: 1
 
-      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b  # pin v4.0.3
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6  # pin v4.0.4
         with:
           node-version: ${{ env.node-version }}
           cache: npm
@@ -102,7 +102,7 @@ jobs:
         timeout-minutes: 2
 
       - name: Setup Rust toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # pin v1.9.0
+        uses: actions-rust-lang/setup-rust-toolchain@4d1965c9142484e48d40c19de54b5cba84953a06 # pin v1.10.0
         if: steps.cache-libparsec.outputs.cache-hit != 'true'
         with:
           target: wasm32-unknown-unknown
@@ -123,7 +123,7 @@ jobs:
         timeout-minutes: 5
 
       # Install wasm-pack command
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: wasm-pack@${{ env.wasm-pack-version }}
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5722b82863b..a93a1cb53db 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -154,7 +154,7 @@ jobs:
               - newsfragments/**
 
       - name: Install python
-        uses: actions/setup-python@29a37be0a3d3e8bf5bc1eb19cd0502922f5b312a  # pin v5.2.0
+        uses: actions/setup-python@70dcb22d269dc9546a5d97f4b11548f130526421  # pin v5.2.0
         id: setup-python
         with:
           python-version: 3.12
@@ -191,7 +191,7 @@ jobs:
           diff --unified .pre-commit-config.yaml $TEMP_FILE || true
           echo "path=$TEMP_FILE" >> $GITHUB_OUTPUT
 
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: taplo-cli@0.9.3
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b3a0a047f63..a93162edc90 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -58,7 +58,7 @@ jobs:
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         if: steps.should-run-python-analysis.outputs.run == 'true'
-        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
         with:
           languages: python
           setup-python-dependencies: false
@@ -87,7 +87,7 @@ jobs:
 
       - name: Perform CodeQL Analysis
         if: steps.should-run-python-analysis.outputs.run == 'true'
-        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
         with:
           category: /language:python
 
@@ -142,7 +142,7 @@ jobs:
   #     # Initializes the CodeQL tools for scanning.
   #     - name: Initialize CodeQL
   #       if: steps.should-run-java-analysis.outputs.run == 'true'
-  #       uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+  #       uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
   #       with:
   #         languages: java
   #         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -154,7 +154,7 @@ jobs:
 
   #     - name: Autobuild android
   #       if: steps.should-run-java-analysis.outputs.run == 'true'
-  #       uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+  #       uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
   #       with:
   #         working-directory: client/android
   #       env:
@@ -162,7 +162,7 @@ jobs:
 
   #     - name: Perform CodeQL Analysis
   #       if: steps.should-run-java-analysis.outputs.run == 'true'
-  #       uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+  #       uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
   #       with:
   #         category: /language:java
 
@@ -191,7 +191,7 @@ jobs:
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         if: steps.should-run-js-analysis.outputs.run == 'true'
-        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
         with:
           languages: typescript
 
@@ -202,12 +202,12 @@ jobs:
 
       - name: Autobuild for typescript
         if: steps.should-run-js-analysis.outputs.run == 'true'
-        uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+        uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
         with:
           working-directory: client
 
       - name: Perform CodeQL Analysis
         if: steps.should-run-js-analysis.outputs.run == 'true'
-        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pin v3.26.6
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # pin v3.26.8
         with:
           category: /language:typescript
diff --git a/.github/workflows/package-client.yml b/.github/workflows/package-client.yml
index 550304e72e4..d57b143fce2 100644
--- a/.github/workflows/package-client.yml
+++ b/.github/workflows/package-client.yml
@@ -74,7 +74,7 @@ jobs:
           ref: ${{ inputs.commit_sha }}
         timeout-minutes: 5
 
-      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b  # pin v4.0.3
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6  # pin v4.0.4
         with:
           node-version: ${{ env.node-version }}
         timeout-minutes: 2
@@ -94,7 +94,7 @@ jobs:
         working-directory: client
 
       # Install syft
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: syft@0.84.0, wasm-pack@${{ env.wasm-pack-version }}
 
@@ -195,7 +195,7 @@ jobs:
           mv -v parsec_*_*.snap Parsec_${{ steps.version.outputs.full }}_linux_$ARCH.snap
 
       # Install syft
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: syft@0.84.0
 
@@ -249,7 +249,7 @@ jobs:
           ref: ${{ inputs.commit_sha }}
         timeout-minutes: 5
 
-      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b  # pin v4.0.3
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6  # pin v4.0.4
         with:
           node-version: ${{ env.node-version }}
         timeout-minutes: 2
@@ -350,7 +350,7 @@ jobs:
         timeout-minutes: 1
 
       # Install syft
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: syft@0.84.0
 
diff --git a/.github/workflows/package-server.yml b/.github/workflows/package-server.yml
index a4441d39491..49f5c1a6c83 100644
--- a/.github/workflows/package-server.yml
+++ b/.github/workflows/package-server.yml
@@ -98,7 +98,7 @@ jobs:
         run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch
 
       - name: Build wheel
-        uses: pypa/cibuildwheel@bd033a44476646b606efccdd5eed92d5ea1d77ad  # pin v2.20.0
+        uses: pypa/cibuildwheel@d4a2945fcc8d13f20a1b99d461b8e844d5fc6e23  # pin v2.21.1
         with:
           package-dir: server
           output-dir: dist
@@ -136,7 +136,7 @@ jobs:
         run: python server/packaging/wheel/wheel_it.py ./server --output dist --skip-wheel
 
       # Install syft
-      - uses: taiki-e/install-action@da8fe73ed87107a1cae164305a928b7c8fcff4bc # pin v2.43.1
+      - uses: taiki-e/install-action@7348990d6a11d92f3e482c9b1bb48cf31ab7f658 # pin v2.44.7
         with:
           tool: syft@0.84.0
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7e84fbb1997..369017bfa62 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -137,7 +137,7 @@ jobs:
 
       - name: Publish wheel on PyPI
         if: steps.version.outputs.local == ''
-        uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # pin v1.10.1
+        uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # pin v1.10.2
         with:
           user: __token__
           password: ${{ secrets.PYPI_CREDENTIALS }}