diff --git a/.github/actions/setup-node.js/action.yml b/.github/actions/setup-node.js/action.yml
index 21344f6c734..389604490ac 100644
--- a/.github/actions/setup-node.js/action.yml
+++ b/.github/actions/setup-node.js/action.yml
@@ -8,7 +8,7 @@ runs:
       run: |
         echo "JAEGER_UI_NODE_JS_VERSION=$(cat jaeger-ui/.nvmrc)" >> ${GITHUB_ENV}
 
-    - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+    - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
       with:
         node-version: ${{ env.JAEGER_UI_NODE_JS_VERSION }}
         cache: 'yarn'
diff --git a/.github/workflows/ci-release-testing.yml b/.github/workflows/ci-release-testing.yml
index 985485ca055..06c25c10ad4 100644
--- a/.github/workflows/ci-release-testing.yml
+++ b/.github/workflows/ci-release-testing.yml
@@ -88,7 +88,7 @@ jobs:
         QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
 
     - name: Generate SBOM
-      uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+      uses: anchore/sbom-action@95b086ac308035dc0850b3853be5b7ab108236a8 # v0.16.1
       with:
         output-file: jaeger-SBOM.spdx.json
         upload-release-assets: false
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index 8390a918f52..1c79cfd2228 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -112,7 +112,7 @@ jobs:
         QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
 
     - name: Generate SBOM
-      uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+      uses: anchore/sbom-action@95b086ac308035dc0850b3853be5b7ab108236a8 # v0.16.1
       with:
         output-file: jaeger-SBOM.spdx.json
         upload-release-assets: false
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index d9afd92f2de..611e740f498 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -64,7 +64,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: SARIF file
           path: results.sarif