diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml
index 2957d5806998..d9badb095c30 100644
--- a/.github/workflows/ci-report.yml
+++ b/.github/workflows/ci-report.yml
@@ -34,8 +34,10 @@ jobs:
 
             echo "::notice::PR found. Target branch is: $TARGET_BRANCH"
             echo "::notice::          Pull Request number is: $PR_ID"
+            echo "::notice::          Branch to merge is: $BRANCH_NAME"
             echo "original_branch_ref=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
             echo "pr_id=$PR_ID" >> "$GITHUB_OUTPUT"
+            echo "branch_to_merge=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
           else
             echo "::notice::Triggering workflow was executed for a push event? Using the head_branch value."
             echo "original_branch_ref=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT"
@@ -111,16 +113,8 @@ jobs:
           EXTRA_ARGS=""
           if [ "${{ github.event.workflow_run.event }}" == "pull_request" ]; then
             echo "::notice::Triggering workflow was executed for a pull request"
-
-            FORK_OWNER="${{ github.event.workflow_run.head_repository.owner.login }}"
-            BRANCH_NAME="${{ github.event.workflow_run.head_branch }}"
-            if [ "${{ github.event.workflow_run.head_repository.owner.login }}" != "${{ github.event.workflow_run.repository.owner.login }}" ]; then
-              BRANCH_NAME="$FORK_OWNER:$BRANCH_NAME"
-            fi
-            TARGET_BRANCH=$(gh pr view "$BRANCH_NAME" --repo ${{ github.event.workflow_run.repository.full_name }} --json baseRefName -q .baseRefName)
-            PR_ID=$(gh pr view "$BRANCH_NAME" --repo ${{ github.event.workflow_run.repository.full_name }} --json number -q .number)
-
-            EXTRA_ARGS="-Dsonar.pullrequest.branch=$BRANCH_NAME -Dsonar.pullrequest.key=$PR_ID -Dsonar.pullrequest.base=${{steps.determine_branch_ref.outputs.original_branch_ref}} -Dsonar.pullrequest.provider=GitHub -Dsonar.pullrequest.github.repository=hibernate/hibernate-orm"
+          
+            EXTRA_ARGS="-Dsonar.pullrequest.branch=${{steps.determine_branch_ref.outputs.branch_to_merge}} -Dsonar.pullrequest.key=${{steps.determine_branch_ref.outputs.pr_id}} -Dsonar.pullrequest.base=${{steps.determine_branch_ref.outputs.original_branch_ref}} -Dsonar.pullrequest.provider=GitHub -Dsonar.pullrequest.github.repository=hibernate/hibernate-orm"
           else
             EXTRA_ARGS="-Dsonar.branch.name=${{github.event.workflow_run.head_branch}}"
           fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e4b35f9ec9da..1e81f972adaa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,7 +44,7 @@ jobs:
     # Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners
     #          - rdbms: hana
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Reclaim Disk Space
@@ -54,7 +54,7 @@ jobs:
           RDBMS: ${{ matrix.rdbms }}
         run: ci/database-start.sh
       - name: Set up Java 11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: 'temurin'
           java-version: '11'
@@ -71,7 +71,7 @@ jobs:
           echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
       - name: Cache Maven/Gradle Dependency/Dist Caches
         id: cache-maven
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         # if it's not a pull request, we restore and save the cache
         if: github.event_name != 'pull_request'
         with:
@@ -79,8 +79,10 @@ jobs:
             ~/.m2/repository/
             ~/.m2/wrapper/
             ~/.gradle/caches/modules-2
+            ~/.gradle/caches/
+            !~/.gradle/caches/build-cache-*
             ~/.gradle/wrapper/
-          # A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable but it's not a problem.
+          # A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable, but it's not a problem.
           # The whole cache is dropped monthly to prevent unlimited growth.
           # The cache is per branch but in case we don't find a branch for a given branch, we will get a cache from another branch.
           key: ${{ steps.cache-key.outputs.buildtool-cache-key }}
@@ -88,14 +90,16 @@ jobs:
             ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
       - name: Restore Maven/Gradle Dependency/Dist Caches
-        uses: actions/cache/restore@v4
-        # if it a pull request, we restore the cache but we don't save it
+        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # if it is a pull request, we restore the cache, but we don't save it
         if: github.event_name == 'pull_request'
         with:
           path: |
             ~/.m2/repository/
             ~/.m2/wrapper/
             ~/.gradle/caches/modules-2
+            ~/.gradle/caches/
+            !~/.gradle/caches/build-cache-*
             ~/.gradle/wrapper/
           key: ${{ steps.cache-key.outputs.buildtool-cache-key }}
           restore-keys: |
@@ -116,7 +120,7 @@ jobs:
       # The actual publishing must be done in a separate job (see ci-report.yml).
       # We don't write to the remote cache as that would be unsafe.
       - name: Upload GitHub Actions artifact for the Develocity build scan
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
         with:
           name: build-scan-data-${{ matrix.rdbms }}
@@ -140,7 +144,7 @@ jobs:
             ./**/target/generated/
             .gradle/caches/build-cache-*
       - name: Upload test reports (if Gradle failed)
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: failure()
         with:
           name: test-reports-java11-${{ matrix.rdbms }}
@@ -149,7 +153,7 @@ jobs:
       - name: Omit produced artifacts from build cache
         run: ./ci/before-cache.sh
 
-  # Job for builds on Atlas (Oracle) infrastructure.
+  # Job for builds on Oracle TP infrastructure.
   # This is untrusted, even for pushes, see below.
   otp:
     permissions:
@@ -171,18 +175,17 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Java 21
-        uses: graalvm/setup-graalvm@aafbedb8d382ed0ca6167d3a051415f20c859274 # v1.2.8
+        uses: graalvm/setup-graalvm@f744c72a42b1995d7b0cbc314bde4bace7ac1fe1 # v1.5.0
         with:
           distribution: 'graalvm'
           java-version: '21'
-
       - name: Generate cache key
         id: cache-key
         run: |
           CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}"
           CURRENT_MONTH=$(/bin/date -u "+%Y-%m")
           CURRENT_DAY=$(/bin/date -u "+%d")
-          ROOT_CACHE_KEY="buildtool-cache-atlas"
+          ROOT_CACHE_KEY="buildtool-cache-oracle-test-pilot"
           echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT
           echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT
           echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
@@ -214,7 +217,9 @@ jobs:
           path: |
             ~/.m2/repository/
             ~/.m2/wrapper/
-            ~/.gradle/caches/modules-2
+             ~/.gradle/caches/modules-2
+            ~/.gradle/caches/
+            !~/.gradle/caches/build-cache-*
             ~/.gradle/wrapper/
           key: ${{ steps.cache-key.outputs.buildtool-cache-key }}
           restore-keys: |
@@ -222,7 +227,7 @@ jobs:
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
 
       - id: create_database
-        uses: loiclefevre/test@a802f8bb53b42b16c253d75f86b06360d150c6e4 # v1.0.22
+        uses: oracle-actions/setup-testpilot@f620f11f9f26dacfe80ba1823342e3e92604c55f # v1.0.23
         with:
           oci-service: ${{ matrix.rdbms }}
           action: create
@@ -243,7 +248,7 @@ jobs:
         run: ./ci/build-github.sh
         shell: bash
 
-      - uses: loiclefevre/test@a802f8bb53b42b16c253d75f86b06360d150c6e4 # v1.0.22
+      - uses: oracle-actions/setup-testpilot@f620f11f9f26dacfe80ba1823342e3e92604c55f # v1.0.23
         if: always()
         with:
           oci-service: ${{ matrix.rdbms }}
@@ -253,7 +258,7 @@ jobs:
       # Upload build scan data.
       # The actual publishing must be done in a separate job (see ci-report.yml).
       # We don't write to the remote cache as that would be unsafe.
-      # That's even on push, because we do not trust Atlas runners to hold secrets: they are shared infrastructure.
+      # That's even on push, because we do not trust Oracle Test Pilot runners to hold secrets: they are shared infrastructure.
       - name: Upload GitHub Actions artifact for the Develocity build scan
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: "${{ !cancelled() }}"