diff --git a/.github/workflows/autodocs-platform.yaml b/.github/workflows/autodocs-platform.yaml
index eeb7f77653..7ade314f3d 100644
--- a/.github/workflows/autodocs-platform.yaml
+++ b/.github/workflows/autodocs-platform.yaml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
     - name: 'Github Actions Runner'
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
@@ -30,7 +30,7 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: 'Setup gitsign'
-      uses: chainguard-dev/actions/setup-gitsign@eab208ef2d05b13404296a5e194a6b237e8bb213 # v1.6.4
+      uses: chainguard-dev/actions/setup-gitsign@71714a76c3df10b544595a2294c16649dc3472e5 # v1.6.5
 
     - name: Authenticate to Google Cloud
       id: auth
diff --git a/.github/workflows/build-terminal-images.yaml b/.github/workflows/build-terminal-images.yaml
index 8cb9c7c310..96d7ea322a 100644
--- a/.github/workflows/build-terminal-images.yaml
+++ b/.github/workflows/build-terminal-images.yaml
@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 4b93ccab5f..b52cde2e00 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
@@ -44,7 +44,7 @@ jobs:
           sudo chmod +x /usr/local/bin/yq
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: '1.24'
 
diff --git a/.github/workflows/cloud-run.yaml b/.github/workflows/cloud-run.yaml
index eb06a8cab6..0054acb97f 100644
--- a/.github/workflows/cloud-run.yaml
+++ b/.github/workflows/cloud-run.yaml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: 'Github Actions Runner'
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/compile-ai-docs-from-gcs.yaml b/.github/workflows/compile-ai-docs-from-gcs.yaml
index 8503e55e6d..9005fada70 100644
--- a/.github/workflows/compile-ai-docs-from-gcs.yaml
+++ b/.github/workflows/compile-ai-docs-from-gcs.yaml
@@ -30,7 +30,7 @@ jobs:
     
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/compile-docs-on-webhook.yml b/.github/workflows/compile-docs-on-webhook.yml
index 9fe5674cb0..c469248932 100644
--- a/.github/workflows/compile-docs-on-webhook.yml
+++ b/.github/workflows/compile-docs-on-webhook.yml
@@ -20,7 +20,7 @@ jobs:
     
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/compile-docs.yml b/.github/workflows/compile-docs.yml
index b297106877..265b37707a 100644
--- a/.github/workflows/compile-docs.yml
+++ b/.github/workflows/compile-docs.yml
@@ -32,7 +32,7 @@ jobs:
     
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/compile-public-docs.yml b/.github/workflows/compile-public-docs.yml
index 6732d98afb..273aa211ee 100644
--- a/.github/workflows/compile-public-docs.yml
+++ b/.github/workflows/compile-public-docs.yml
@@ -34,7 +34,7 @@ jobs:
     
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/export-edu-docs-to-gcs.yaml b/.github/workflows/export-edu-docs-to-gcs.yaml
index b225558e19..c3b769af9b 100644
--- a/.github/workflows/export-edu-docs-to-gcs.yaml
+++ b/.github/workflows/export-edu-docs-to-gcs.yaml
@@ -24,7 +24,7 @@ jobs:
     
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/rumble-vulnerability-data.yaml b/.github/workflows/rumble-vulnerability-data.yaml
index 4dde41d7f3..52cc68e92c 100644
--- a/.github/workflows/rumble-vulnerability-data.yaml
+++ b/.github/workflows/rumble-vulnerability-data.yaml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: ./tools/rumble/go.mod
           check-latest: true
diff --git a/.github/workflows/validate-nginx-config.yaml b/.github/workflows/validate-nginx-config.yaml
index b122c6330d..8a94d35f65 100644
--- a/.github/workflows/validate-nginx-config.yaml
+++ b/.github/workflows/validate-nginx-config.yaml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit