diff --git a/.github/workflows/_container.yml b/.github/workflows/_container.yml
index 4857ee9..3ee61f1 100644
--- a/.github/workflows/_container.yml
+++ b/.github/workflows/_container.yml
@@ -25,7 +25,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and export to Docker local cache
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           # Need load and tags so we can test it below
@@ -46,7 +46,7 @@ jobs:
 
       - name: Push cached image to container registry
         if: github.ref_type == 'tag'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         # This does not build the image again, it will find the image in the
         # Docker cache and publish it
         with:
diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml
index 7f4ceab..10d8ed8 100644
--- a/.github/workflows/_release.yml
+++ b/.github/workflows/_release.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Create GitHub Release
         # We pin to the SHA, not the tag, for security reasons.
         # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           prerelease: ${{ contains(github.ref_name, 'a') || contains(github.ref_name, 'b') || contains(github.ref_name, 'rc') }}
           files: "*"