diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ba42804..ab65c90 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,7 +13,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
-    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@4207288daf055fa396f57e248dd3c5657c32c65b # validate-renovate/v1
+    uses: loft-sh/github-actions/.github/workflows/validate-renovate.yaml@53686d2452bc48398252887a37ad248c38a7f1eb # validate-renovate/v1
 
   actionlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/claude-code-review.yaml b/.github/workflows/claude-code-review.yaml
index 1b1b3d2..b68ca13 100644
--- a/.github/workflows/claude-code-review.yaml
+++ b/.github/workflows/claude-code-review.yaml
@@ -51,7 +51,7 @@ jobs:
           git checkout -B "${PR_HEAD_REF}" "origin/${PR_HEAD_REF}"
 
       - name: Claude Code Review
-        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # v1
+        uses: anthropics/claude-code-action@38ec876110f9fbf8b950c79f534430740c3ac009 # v1
         with:
           anthropic_api_key: ${{ secrets.anthropic-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via workflow_call, not a repo secret
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/claude.yaml b/.github/workflows/claude.yaml
index 31bc384..0821827 100644
--- a/.github/workflows/claude.yaml
+++ b/.github/workflows/claude.yaml
@@ -27,6 +27,6 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # v1
+        uses: anthropics/claude-code-action@38ec876110f9fbf8b950c79f534430740c3ac009 # v1
         with:
           anthropic_api_key: ${{ secrets.anthropic-api-key }} # zizmor: ignore[secrets-outside-env] -- API key passed via workflow_call, not a repo secret
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 9011a6c..8ca619b 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -33,7 +33,7 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # v1
+        uses: anthropics/claude-code-action@38ec876110f9fbf8b950c79f534430740c3ac009 # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # zizmor: ignore[secrets-outside-env] -- OAuth token for Claude, no dedicated environment needed
 
diff --git a/.github/workflows/test-semver-validation.yaml b/.github/workflows/test-semver-validation.yaml
index ce45452..93ad14a 100644
--- a/.github/workflows/test-semver-validation.yaml
+++ b/.github/workflows/test-semver-validation.yaml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: '24'
       - run: npm ci