diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 35e0126..f6d2747 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,7 +28,7 @@ jobs:
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
         with:
-          bun-version: 1.3.13
+          bun-version: 1.3.14
 
       # Bun is the package manager and script runner, but Next.js (and tsc)
       # run on Node. The runner image is pinned (ubuntu-24.04) but Node
@@ -187,7 +187,7 @@ jobs:
           # TruffleHog diffs base..head and needs the full history present.
           fetch-depth: 0
       - name: TruffleHog scan
-        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26  # v3.95.2
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab  # v3.95.3
         with:
           # On PRs: scan the diff between base and head. On push to main:
           # scan the previous commit to HEAD. The action infers both from
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index aef1eaf..bca3585 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -45,7 +45,7 @@ jobs:
         with:
           fetch-depth: 1
 
-      - uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1.0.119
+      - uses: anthropics/claude-code-action@51ea8ea73a139f2a74ff649e3092c25a904aed7e # v1.0.123
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml
index 868e922..f865078 100644
--- a/.github/workflows/lighthouse.yml
+++ b/.github/workflows/lighthouse.yml
@@ -24,7 +24,7 @@ jobs:
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
         with:
-          bun-version: 1.3.13
+          bun-version: 1.3.14
 
       # Bun is the package manager and script runner, but Next.js (and the
       # lhci binary) run on Node. The runner image is pinned (ubuntu-24.04)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index d07c57c..b5e63b4 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -83,6 +83,6 @@ jobs:
           retention-days: 7
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba  # v4.35.5
         with:
           sarif_file: results.sarif