diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index a8d9335..cd3beb8 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -1,23 +1,23 @@
 name: CD
 
 on:
-  push:
+  pull_request:
+    types:
+      - closed
     branches:
-      - main
-    paths:
-      - "src/**"
+      - 'main'
   workflow_dispatch:
 
 
 jobs:
   version-type:
     name: Get version type
-    if: github.actor != 'bitwarden-devops-bot'
+    if: github.event.pull_request.merged == true
     uses: ./.github/workflows/_version_type.yml
 
   version-bump:
     name: Version bump
-    if: github.actor != 'bitwarden-devops-bot' && needs.version-type.outputs.version_bump_type != 'skip'
+    if: needs.version-type.outputs.version_bump_type != 'skip'
     runs-on: ubuntu-24.04
     needs: version-type
     outputs:
@@ -94,7 +94,6 @@ jobs:
 
   release:
     name: GitHub release
-    if: github.actor != 'bitwarden-devops-bot'
     runs-on: ubuntu-22.04
     needs: version-bump
     steps:
@@ -112,7 +111,6 @@ jobs:
 
   deploy:
     name: Deploy workflow-linter (v2)
-    if: github.actor != 'bitwarden-devops-bot'
     runs-on: ubuntu-22.04
     needs: version-bump
     steps:
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index c827ba5..00e6443 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -31,7 +31,7 @@ jobs:
           ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
-        uses: checkmarx/ast-github-action@b74e8d514feae4ad5ad2b43e72590935bd2daf5f # 2.0.39
+        uses: checkmarx/ast-github-action@184bf2f64f55d1c93fd6636d539edf274703e434 # 2.0.41
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
@@ -46,7 +46,7 @@ jobs:
             --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: cx_result.sarif
 
diff --git a/.github/workflows/update_actions.yml b/.github/workflows/update_actions.yml
index 09c16b3..dbbb6cc 100644
--- a/.github/workflows/update_actions.yml
+++ b/.github/workflows/update_actions.yml
@@ -76,7 +76,7 @@ jobs:
 
       - name: Generate GH App token
         if: steps.new-changes.outputs.new_changes == 'TRUE'
-        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
           app-id: ${{ secrets.GH_APP_ID }}
diff --git a/src/bitwarden_workflow_linter/__about__.py b/src/bitwarden_workflow_linter/__about__.py
index 766bc96..1bbcffd 100644
--- a/src/bitwarden_workflow_linter/__about__.py
+++ b/src/bitwarden_workflow_linter/__about__.py
@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "0.4.3"
+__version__ = "0.4.4"