diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index 11344e2bc6..fe8d5f183c 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -65,7 +65,7 @@
       "version": "v8.0.0",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
-    "actions/setup-dotnet@v4": {
+    "actions/setup-dotnet@v4.3.1": {
       "repo": "actions/setup-dotnet",
       "version": "v4.3.1",
       "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9"
@@ -80,7 +80,7 @@
       "version": "v6.1.0",
       "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c"
     },
-    "actions/setup-java@v4": {
+    "actions/setup-java@v4.8.0": {
       "repo": "actions/setup-java",
       "version": "v4.8.0",
       "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9"
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index cb56201092..923c9030bd 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -1359,13 +1359,13 @@ jobs:
       - name: Download Go modules
         run: go mod download
       - name: Generate SBOM (SPDX format)
-        uses: anchore/sbom-action@62ad5284b8ced813296287a0b63906cb364b73ee # v0
+        uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0
         with:
           artifact-name: sbom.spdx.json
           format: spdx-json
           output-file: sbom.spdx.json
       - name: Generate SBOM (CycloneDX format)
-        uses: anchore/sbom-action@62ad5284b8ced813296287a0b63906cb364b73ee # v0
+        uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0
         with:
           artifact-name: sbom.cdx.json
           format: cyclonedx-json
@@ -1399,7 +1399,7 @@ jobs:
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml
index 12b5db29c9..a3672acfc1 100644
--- a/.github/workflows/security-guard.lock.yml
+++ b/.github/workflows/security-guard.lock.yml
@@ -24,10 +24,9 @@
 name: "Security Guard Agent 🛡️"
 "on":
   pull_request:
+    # draft: false # Draft filtering applied via job conditions
     types:
-    - opened
-    - synchronize
-    - reopened
+    - ready_for_review
 
 permissions: {}
 
@@ -41,7 +40,8 @@ jobs:
   activation:
     needs: pre_activation
     if: >
-      (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id))
+      (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.draft == false)) &&
+      ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)))
     runs-on: ubuntu-slim
     permissions:
       contents: read
@@ -1176,7 +1176,10 @@ jobs:
           if-no-files-found: ignore
 
   pre_activation:
-    if: (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)
+    if: >
+      ((github.event_name != 'pull_request') || (github.event.pull_request.draft == false)) &&
+      ((github.event_name != 'pull_request') ||
+      (github.event.pull_request.head.repo.id == github.repository_id))
     runs-on: ubuntu-slim
     permissions:
       contents: read
diff --git a/.github/workflows/security-guard.md b/.github/workflows/security-guard.md
index 29d9f1d2fa..93a24f2459 100644
--- a/.github/workflows/security-guard.md
+++ b/.github/workflows/security-guard.md
@@ -2,7 +2,8 @@
 description: Automated security guard that reviews every PR for changes that could weaken security posture, only commenting when concrete evidence of security concerns exists
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [ready_for_review]
+    draft: false
 permissions:
   contents: read
   pull-requests: read
diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json
index 11344e2bc6..fe8d5f183c 100644
--- a/pkg/workflow/data/action_pins.json
+++ b/pkg/workflow/data/action_pins.json
@@ -65,7 +65,7 @@
       "version": "v8.0.0",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
-    "actions/setup-dotnet@v4": {
+    "actions/setup-dotnet@v4.3.1": {
       "repo": "actions/setup-dotnet",
       "version": "v4.3.1",
       "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9"
@@ -80,7 +80,7 @@
       "version": "v6.1.0",
       "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c"
     },
-    "actions/setup-java@v4": {
+    "actions/setup-java@v4.8.0": {
       "repo": "actions/setup-java",
       "version": "v4.8.0",
       "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9"