diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index edf04ca..7c1af3e 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -23,7 +23,7 @@ jobs:
         configuration-path: .github/labeler-config.yml
         enable-versioned-regex: 0
     - name: Check team membership for user
-      uses: elastic/get-user-teams-membership@v1.0.4
+      uses: elastic/get-user-teams-membership@1.1.0
       id: checkUserMember
       with:
         username: ${{ github.actor }}
diff --git a/.github/workflows/release-step-3.yml b/.github/workflows/release-step-3.yml
index b6579e4..dc0dbb2 100644
--- a/.github/workflows/release-step-3.yml
+++ b/.github/workflows/release-step-3.yml
@@ -96,7 +96,7 @@ jobs:
         run: tar xvf ${{ env.TARBALL_FILE }}
 
       - name: generate build provenance
-        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4  # v1.1.1
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0  # v1.3.3
         with:
           subject-path: "${{ github.workspace }}/**/target/*.jar"
 
diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
index b4baccc..76e75e9 100644
--- a/.github/workflows/snapshot.yml
+++ b/.github/workflows/snapshot.yml
@@ -66,7 +66,7 @@ jobs:
         run: tar xvf ${{ env.TARBALL_FILE }}
 
       - name: generate build provenance
-        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4  # v1.1.1
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0  # v1.3.3
         with:
           subject-path: "${{ github.workspace }}/**/target/*.jar"
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 744573e..c8c5882 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,17 +30,17 @@ jobs:
         - 'compile javadoc:javadoc'
       fail-fast: false
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: ./.github/workflows/maven-goal
       with:
         command: ./mvnw ${{ matrix.goal }}
     - name: Store test results
       if: ${{ matrix.goal == 'test' }} && (success() || failure())
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test-results
         path: '**/target/surefire-reports'
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       if: contains(${{ matrix.goal }}, 'license')
       with:
         name: license-report
diff --git a/.github/workflows/updatecli.yml b/.github/workflows/updatecli.yml
index 99369c8..c942a12 100644
--- a/.github/workflows/updatecli.yml
+++ b/.github/workflows/updatecli.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}