diff --git a/.github/workflows/_container.yml b/.github/workflows/_container.yml
index 4857ee9e6..bb19c3b06 100644
--- a/.github/workflows/_container.yml
+++ b/.github/workflows/_container.yml
@@ -37,7 +37,7 @@ jobs:
 
       - name: Create tags for publishing image
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v5.5.1
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml
index b49fa7dca..4f2a48283 100644
--- a/.github/workflows/_release.yml
+++ b/.github/workflows/_release.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Create GitHub Release
         # We pin to the SHA, not the tag, for security reasons.
         # https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v0.1.15
         with:
           prerelease: ${{ contains(github.ref_name, 'a') || contains(github.ref_name, 'b') || contains(github.ref_name, 'rc') }}
           files: "*"
diff --git a/.github/workflows/asyncapi.yml b/.github/workflows/asyncapi.yml
index 443a2196c..613b0e945 100644
--- a/.github/workflows/asyncapi.yml
+++ b/.github/workflows/asyncapi.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: check asyncapi.yaml file
         uses: WaleedAshraf/asyncapi-github-action@v0.0.10
         with:
diff --git a/.github/workflows/backstage.yml b/.github/workflows/backstage.yml
index 00a488241..0c3408040 100644
--- a/.github/workflows/backstage.yml
+++ b/.github/workflows/backstage.yml
@@ -10,8 +10,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: check catalog-info.yaml file
-        uses: RoadieHQ/backstage-entity-validator@v0.3.11
+        uses: RoadieHQ/backstage-entity-validator@v0.5.0
         with:
           path: "./catalog-info.yaml"
diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
index 8c23d1550..823ba308e 100644
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -16,10 +16,10 @@ jobs:
     environment: prod
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: install helm
-        uses: Azure/setup-helm@v3
+        uses: Azure/setup-helm@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
         id: install
@@ -29,7 +29,7 @@ jobs:
           echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ${{ env.GCR_IMAGE }} --username ${{ github.repository_owner }} --password-stdin
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
+        uses: docker/metadata-action@75359341f62c2d990e0aa8543e545c74eec643ff
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |