diff --git a/.github/workflows/protoc-dependabot-hack.yml b/.github/workflows/protoc-dependabot-hack.yml
index af0928476..7fcc9ed52 100644
--- a/.github/workflows/protoc-dependabot-hack.yml
+++ b/.github/workflows/protoc-dependabot-hack.yml
@@ -16,4 +16,4 @@ jobs:
 
       # update the version in these places manually when Dependabot proposes a change to it here:
       # 1. the version in main.yml used to install protoc
-      - uses: protocolbuffers/protobuf@v27.2
+      - uses: protocolbuffers/protobuf@v27.3
diff --git a/.github/workflows/scorecard_action.yml b/.github/workflows/scorecard_action.yml
index 791ac9bef..3b5d9e0a1 100644
--- a/.github/workflows/scorecard_action.yml
+++ b/.github/workflows/scorecard_action.yml
@@ -44,7 +44,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: SARIF file
           path: results.sarif
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 14f6b0a53..11d71f277 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -68,7 +68,7 @@ jobs:
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         timeout-minutes: 10
         with:
           version: v1.59