diff --git a/.github/workflows/label-sync-reusable.yml b/.github/workflows/label-sync-reusable.yml
index f1b2a15..e0b9e59 100644
--- a/.github/workflows/label-sync-reusable.yml
+++ b/.github/workflows/label-sync-reusable.yml
@@ -16,7 +16,7 @@ jobs:
       # so that the caller's GITHUB_TOKEN (which is scoped to the caller, not
       # this repo) can check them out without a PAT or GitHub App credential.
       - name: Checkout shared labels and script
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: trufflesecurity/.github
           ref: main
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9bb4ef1..c3e6ff9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,12 +14,13 @@ jobs:
     name: Python (ruff)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/ruff-action@v3
+      - uses: actions/checkout@v6
+      # ruff-action v4+ ships immutable tags only (no rolling @v4); pin to the patch.
+      - uses: astral-sh/ruff-action@v4.0.0
         with:
           src: '.github/scripts'
           args: 'check'
-      - uses: astral-sh/ruff-action@v3
+      - uses: astral-sh/ruff-action@v4.0.0
         with:
           src: '.github/scripts'
           args: 'format --check'
@@ -28,7 +29,7 @@ jobs:
     name: Workflows (actionlint)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Run actionlint
         run: |
           bash <(curl -sSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
diff --git a/.github/workflows/pr-labeler-reusable.yml b/.github/workflows/pr-labeler-reusable.yml
index 0cd219c..2633358 100644
--- a/.github/workflows/pr-labeler-reusable.yml
+++ b/.github/workflows/pr-labeler-reusable.yml
@@ -27,7 +27,7 @@ jobs:
       # caller's GITHUB_TOKEN (which is scoped to the caller, not this repo)
       # can check them out without a PAT or GitHub App credential.
       - name: Checkout shared scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: trufflesecurity/.github
           ref: main
diff --git a/.github/workflows/stale-reusable.yml b/.github/workflows/stale-reusable.yml
index fcedc76..045c724 100644
--- a/.github/workflows/stale-reusable.yml
+++ b/.github/workflows/stale-reusable.yml
@@ -21,7 +21,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           # PR thresholds
           days-before-pr-stale: ${{ inputs.days-before-stale }}
diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml
index 329b977..a5b7ac3 100644
--- a/.github/workflows/test-scripts.yml
+++ b/.github/workflows/test-scripts.yml
@@ -15,8 +15,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.12'
       - run: pip install pytest pyyaml