diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 937453c3..e6ec870f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -234,7 +234,7 @@ jobs:
         uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4  # v2.9.1
 
       - name: Install cargo-nextest
-        uses: taiki-e/install-action@65851e10cd6c377f11a60e600abc07cb08643468  # v2.33.60
+        uses: taiki-e/install-action@e49978b799e49ff429d162b7a30601a569ab6538  # v2.33.60
         with:
           tool: cargo-nextest
 
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 7af0ac67..6219258a 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -44,7 +44,7 @@ jobs:
     # even when cargo-deny reports a real advisory failure.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v4.0.0
-      - uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1  # v2.0.18
+      - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe  # v2.0.20
         with:
           command: check advisories licenses bans sources
           log-level: warn