diff --git a/.github/workflows/build-matrix.yml b/.github/workflows/build-matrix.yml
index cbcb42a2..40912313 100644
--- a/.github/workflows/build-matrix.yml
+++ b/.github/workflows/build-matrix.yml
@@ -49,7 +49,7 @@ jobs:
           go build -ldflags="-s -w" -o "ckb-${GOOS}-${GOARCH}${ext}" ./cmd/ckb
 
       - name: Upload artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ckb-${{ matrix.os }}-${{ matrix.arch }}
           path: ckb-${{ matrix.os }}-${{ matrix.arch }}*
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 208e6629..759560d4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -177,7 +177,7 @@ jobs:
         run: ./ckb version
 
       - name: Upload binary
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ckb-linux-amd64
           path: ckb
diff --git a/.github/workflows/ckb.yml b/.github/workflows/ckb.yml
index 1cbc78e8..5003e463 100644
--- a/.github/workflows/ckb.yml
+++ b/.github/workflows/ckb.yml
@@ -95,7 +95,7 @@ jobs:
       # ───────────────────────────────────────────────────────────────────────
       - name: Cache
         id: cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: .ckb/
           key: ckb-${{ runner.os }}-${{ hashFiles('go.sum') }}-${{ github.base_ref }}
@@ -172,7 +172,7 @@ jobs:
           fi
 
       - name: Post Impact Comment
-        uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # v3.0.3
+        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
         with:
           header: ckb-impact
           path: impact.md
@@ -377,7 +377,7 @@ jobs:
       # ───────────────────────────────────────────────────────────────────────
       - name: Comment
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           CACHE_HIT: ${{ steps.cache.outputs.cache-hit }}
           INDEX_MODE: ${{ steps.index.outputs.mode }}
@@ -928,7 +928,7 @@ jobs:
       - name: Reviewers
         if: always()
         continue-on-error: true
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const fs = require('fs');
@@ -954,14 +954,14 @@ jobs:
       # ───────────────────────────────────────────────────────────────────────
       - name: Save Cache
         if: always()
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: .ckb/
           key: ckb-${{ runner.os }}-${{ hashFiles('go.sum') }}-${{ github.base_ref }}
 
       - name: Upload
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ckb-analysis
           path: '*.json'
@@ -992,7 +992,7 @@ jobs:
         run: go install github.com/sourcegraph/scip-go/cmd/scip-go@latest
 
       - name: Cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: .ckb/
           key: ckb-${{ runner.os }}-refresh-${{ github.run_id }}
@@ -1035,7 +1035,7 @@ jobs:
           echo "| Language Quality | $(jq '.overallQuality * 100 | floor' reports/languages.json)% |" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ckb-refresh
           path: reports/
diff --git a/.github/workflows/cov.yml b/.github/workflows/cov.yml
index 17f80b4a..a1d6b988 100644
--- a/.github/workflows/cov.yml
+++ b/.github/workflows/cov.yml
@@ -69,7 +69,7 @@ jobs:
 
       - name: Upload coverage
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: coverage
           path: |
diff --git a/.github/workflows/nfr.yml b/.github/workflows/nfr.yml
index 5920a549..ada0e724 100644
--- a/.github/workflows/nfr.yml
+++ b/.github/workflows/nfr.yml
@@ -39,7 +39,7 @@ jobs:
           exit 0
 
       - name: Upload head results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: nfr-head
           path: nfr-output.txt
@@ -72,7 +72,7 @@ jobs:
           exit 0
 
       - name: Upload base results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: nfr-base
           path: nfr-output.txt
@@ -270,7 +270,7 @@ jobs:
 
       - name: Comment on PR
         if: always() && github.event_name == 'pull_request'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const fs = require('fs');
@@ -308,7 +308,7 @@ jobs:
 
       - name: Upload NFR results
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: nfr-results
           path: |
diff --git a/.github/workflows/security-dependencies.yml b/.github/workflows/security-dependencies.yml
index 10ed1783..948703b2 100644
--- a/.github/workflows/security-dependencies.yml
+++ b/.github/workflows/security-dependencies.yml
@@ -220,7 +220,7 @@ jobs:
           echo "| **Total** | **$TOTAL** |" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: dependency-scan-results
diff --git a/.github/workflows/security-gate.yml b/.github/workflows/security-gate.yml
index 66fdba3a..6086b538 100644
--- a/.github/workflows/security-gate.yml
+++ b/.github/workflows/security-gate.yml
@@ -201,7 +201,7 @@ jobs:
 
       - name: PR Comment
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const fs = require('fs');
diff --git a/.github/workflows/security-sast-common.yml b/.github/workflows/security-sast-common.yml
index 106796d7..40d606ec 100644
--- a/.github/workflows/security-sast-common.yml
+++ b/.github/workflows/security-sast-common.yml
@@ -98,7 +98,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: semgrep-results
diff --git a/.github/workflows/security-sast-go.yml b/.github/workflows/security-sast-go.yml
index 64da052f..1d486f60 100644
--- a/.github/workflows/security-sast-go.yml
+++ b/.github/workflows/security-sast-go.yml
@@ -141,7 +141,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: gosec-results
diff --git a/.github/workflows/security-sast-python.yml b/.github/workflows/security-sast-python.yml
index a48e0c94..f9685a44 100644
--- a/.github/workflows/security-sast-python.yml
+++ b/.github/workflows/security-sast-python.yml
@@ -141,7 +141,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: bandit-results
diff --git a/.github/workflows/security-secrets.yml b/.github/workflows/security-secrets.yml
index f2df7323..33b3b0df 100644
--- a/.github/workflows/security-secrets.yml
+++ b/.github/workflows/security-secrets.yml
@@ -217,7 +217,7 @@ jobs:
           echo "| **Total** | **$TOTAL** |" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: secret-scan-results