diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6301298b76..c3932c3661 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -25,6 +25,6 @@ jobs:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 🏗 Initialize CodeQL
-        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3
+        uses: github/codeql-action/init@05963f47d870e2cb19a537396c1f668a348c7d8f # v3
       - name: 🚀 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3
+        uses: github/codeql-action/analyze@05963f47d870e2cb19a537396c1f668a348c7d8f # v3
diff --git a/.github/workflows/nextjs_bundle_analysis.yml b/.github/workflows/nextjs_bundle_analysis.yml
index 0f049a2436..48e70f3e26 100644
--- a/.github/workflows/nextjs_bundle_analysis.yml
+++ b/.github/workflows/nextjs_bundle_analysis.yml
@@ -81,7 +81,7 @@ jobs:
           path: /home/runner/work/InReach/InReach/apps/app/.next/analyze/__bundle_analysis.json
 
       - name: Download base branch bundle stats
-        uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
         if: success() && github.event.number
         with:
           workflow: nextjs_bundle_analysis.yml
diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml
index f8c5059fc1..3c9296508b 100644
--- a/.github/workflows/njsscan.yml
+++ b/.github/workflows/njsscan.yml
@@ -37,6 +37,6 @@ jobs:
         with:
           args: '. --sarif --output results.sarif || true'
       - name: Upload njsscan report
-        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3
+        uses: github/codeql-action/upload-sarif@05963f47d870e2cb19a537396c1f668a348c7d8f # v3
         with:
           sarif_file: results.sarif