diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 8da110b..02d5ec1 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -22,7 +22,7 @@ jobs:
         run: uv sync --frozen
       - name: Run benchmarks
         run: uv run pytest tests/test_benchmark.py -v
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: benchmarks
           path: .benchmarks/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f67d596..df1e6be 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -152,7 +152,7 @@ jobs:
           assert walk({'k': 'v'}) == {'k': 'v'}
           print('Smoke test passed')
           "
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: wheel
           path: dist/*.whl
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 1e26125..1f3fe56 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -33,7 +33,7 @@ jobs:
         run: uv run zensical build
       - name: Strip internal docs from build
         run: rm -rf site/internal site/plans site/whitepaper
-      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+      - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: site
 
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 70e28af..a35eb22 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -38,7 +38,7 @@ jobs:
           uv run python fuzz/fuzz_clean.py --target="${FUZZ_TARGET}" -atheris_runs=100000 -max_len=4096
       - name: Upload crash artifacts
         if: failure()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: fuzz-crash-${{ matrix.target }}
           path: |
diff --git a/.github/workflows/grippy-review.yml b/.github/workflows/grippy-review.yml
index 964b05a..dcd0f98 100644
--- a/.github/workflows/grippy-review.yml
+++ b/.github/workflows/grippy-review.yml
@@ -18,7 +18,7 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176  # v2.17.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4921260..3e6289c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -42,7 +42,7 @@ jobs:
           path: dist/
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
         with:
           print-hash: true