diff --git a/.github/actions/build_micro_service/action.yml b/.github/actions/build_micro_service/action.yml
index 6b7f6c0a2..1bf908f10 100644
--- a/.github/actions/build_micro_service/action.yml
+++ b/.github/actions/build_micro_service/action.yml
@@ -62,7 +62,7 @@ runs:
 
     - name: Build and push container image
       id: build-micro-service
-      uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+      uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
       with:
         context: .
         file: ${{ inputs.dockerfile }}
diff --git a/.github/actions/build_operator/action.yml b/.github/actions/build_operator/action.yml
index e8275c5de..52533f4c7 100644
--- a/.github/actions/build_operator/action.yml
+++ b/.github/actions/build_operator/action.yml
@@ -58,7 +58,7 @@ runs:
 
     - name: Build and push container image
       id: build-image
-      uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+      uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
       with:
         context: .
         file: ${{ inputs.sourceDir }}/Dockerfile
@@ -104,7 +104,7 @@ runs:
 
     - name: Build and push bundle image
       id: build-image-bundle
-      uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+      uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
       with:
         context: ${{ inputs.sourceDir }}
         file: ${{ inputs.sourceDir }}/bundle.Dockerfile
diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
index 429dfef94..f6663bb81 100644
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@@ -107,7 +107,7 @@ runs:
     - name: Download the bootstrapper from cache
       id: download-bootstrapper-cache
       if: inputs.isDebugImage == 'true' && runner.os == 'macOS'
-      uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
+      uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
       with:
         key: bootstrapper-${{ github.sha }}
         path: "build/bootstrapper"
@@ -122,7 +122,7 @@ runs:
     - name: Download the upgrade-agent from cache
       id: download-upgrade-agent-cache
       if: inputs.isDebugImage == 'true' && runner.os == 'macOS'
-      uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
+      uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
       with:
         key: upgrade-agent-${{ github.sha }}
         path: "build/upgrade-agent"
diff --git a/.github/actions/setup_linux/action.yml b/.github/actions/setup_linux/action.yml
index 1a438e11a..dfe4ad022 100644
--- a/.github/actions/setup_linux/action.yml
+++ b/.github/actions/setup_linux/action.yml
@@ -54,4 +54,4 @@ runs:
 
     - name: Set up Docker Buildx
       id: docker-setup
-      uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # tag=v2.2.1
+      uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
diff --git a/.github/workflows/build-ccm-gcp.yml b/.github/workflows/build-ccm-gcp.yml
index 55c7d2538..43fc7a890 100644
--- a/.github/workflows/build-ccm-gcp.yml
+++ b/.github/workflows/build-ccm-gcp.yml
@@ -65,7 +65,7 @@ jobs:
 
       - name: Build and push container image
         id: build
-        uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: .
           push: true
diff --git a/.github/workflows/build-gcp-guest-agent.yml b/.github/workflows/build-gcp-guest-agent.yml
index 4ba7a6a6e..fb4f6b693 100644
--- a/.github/workflows/build-gcp-guest-agent.yml
+++ b/.github/workflows/build-gcp-guest-agent.yml
@@ -54,7 +54,7 @@ jobs:
 
       - name: Build and push container image
         id: build
-        uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 # v3.3.0
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: ./guest-agent
           file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile
diff --git a/.github/workflows/build-keyservice-image.yml b/.github/workflows/build-keyservice-image.yml
index 0738ae916..a09b53581 100644
--- a/.github/workflows/build-keyservice-image.yml
+++ b/.github/workflows/build-keyservice-image.yml
@@ -33,7 +33,7 @@ jobs:
           go-version: "1.19.5"
 
       - name: Set up ko
-        uses: imjasonh/setup-ko@9a31684920a610d5dbe8012888714d64706f9787 # tag=v0.6
+        uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
       - name: Build and upload KeyService container image
         id: build-and-upload
diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml
index 4caae4a4a..45a8e47c8 100644
--- a/.github/workflows/e2e-test-manual.yml
+++ b/.github/workflows/e2e-test-manual.yml
@@ -214,13 +214,13 @@ jobs:
           outputPath: ${{ github.workspace }}/build/upgrade-agent
 
       - name: Upload bootstrapper to cache
-        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           key: bootstrapper-${{ github.sha }}
           path: "build/bootstrapper"
 
       - name: Upload upgrade-agent to cache
-        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           key: upgrade-agent-${{ github.sha }}
           path: "build/upgrade-agent"
diff --git a/.github/workflows/test-actionlint.yml b/.github/workflows/test-actionlint.yml
index e610df13e..f30a0cfc8 100644
--- a/.github/workflows/test-actionlint.yml
+++ b/.github/workflows/test-actionlint.yml
@@ -28,7 +28,7 @@ jobs:
           cache: true
 
       - name: Install ShellCheck
-        uses: ludeeus/action-shellcheck@6d3f514f44620b9d4488e380339edc0d9bbe2fba # master
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
         with:
           ignore_paths: "*"
 
diff --git a/.github/workflows/test-shellcheck.yml b/.github/workflows/test-shellcheck.yml
index c0cf25c66..c769eccd5 100644
--- a/.github/workflows/test-shellcheck.yml
+++ b/.github/workflows/test-shellcheck.yml
@@ -38,7 +38,7 @@ jobs:
           go install github.com/katexochen/sh/v3/cmd/shfmt@faf7f58964998201d22efe41fef41ae4e1953f3b # v3.6.0
 
       - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@6d3f514f44620b9d4488e380339edc0d9bbe2fba # master
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
         with:
           severity: info
           ignore_paths: charts/cilium