diff --git a/.github/workflows/build-envoy-image-ci.yaml b/.github/workflows/build-envoy-image-ci.yaml
index dcb727a4f..267e3c8c2 100644
--- a/.github/workflows/build-envoy-image-ci.yaml
+++ b/.github/workflows/build-envoy-image-ci.yaml
@@ -67,7 +67,7 @@ jobs:
           fi
 
       - name: PR Multi-arch build & push of Builder image (dev)
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
         id: docker_build_builder_ci
         with:
@@ -86,7 +86,7 @@ jobs:
           echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}"
 
       - name: PR Multi-arch build & push of cilium-envoy
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         id: docker_build_ci
         with:
           provenance: false
diff --git a/.github/workflows/build-envoy-images-release-base.yaml b/.github/workflows/build-envoy-images-release-base.yaml
index 7459287b5..bf14941e8 100644
--- a/.github/workflows/build-envoy-images-release-base.yaml
+++ b/.github/workflows/build-envoy-images-release-base.yaml
@@ -75,7 +75,7 @@ jobs:
         images: cilium-envoy-builder
 
     - name: Run integration tests on amd64 to update docker cache
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       id: docker_tests_ci_cache_update
       with:
         provenance: false
@@ -131,7 +131,7 @@ jobs:
         fi
 
     - name: Multi-arch build & push of Builder image
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false'
       id: docker_build_builder
       with:
@@ -144,7 +144,7 @@ jobs:
           quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }}
           quay.io/${{ github.repository_owner }}/cilium-envoy-builder:latest
     - name: Multi-arch build & push of build artifact archive
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       with:
         context: .
         file: ./Dockerfile
@@ -170,7 +170,7 @@ jobs:
         docker buildx prune -f
 
     - name: Multi-arch build & push main latest
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
       id: docker_build_cd
       with:
         provenance: false
diff --git a/.github/workflows/ci-check-format.yaml b/.github/workflows/ci-check-format.yaml
index 5cb9b2017..29395a527 100644
--- a/.github/workflows/ci-check-format.yaml
+++ b/.github/workflows/ci-check-format.yaml
@@ -36,7 +36,7 @@ jobs:
           images: cilium-envoy-builder-dev
 
       - name: Check format
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         id: docker_format_ciak
         with:
           target: format
@@ -86,7 +86,7 @@ jobs:
           images: cilium-envoy-builder-dev
 
       - name: Run clang-tidy
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         # skip if nothing changed
         if: ${{ env.TIDY_SOURCES != '' }}
         id: docker_clang_tidy
diff --git a/.github/workflows/ci-tests.yaml b/.github/workflows/ci-tests.yaml
index c9ce1b86b..1c5473576 100644
--- a/.github/workflows/ci-tests.yaml
+++ b/.github/workflows/ci-tests.yaml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Install Go
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         # renovate: datasource=golang-version depName=go
         go-version: 1.25.1
@@ -69,7 +69,7 @@ jobs:
           images: cilium-envoy-builder-dev
 
       - name: Run integration tests on amd64
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         id: docker_tests_ci
         with:
           provenance: false
diff --git a/.github/workflows/cilium-gateway-api.yaml b/.github/workflows/cilium-gateway-api.yaml
index 8dbeb8eba..8a0c61613 100644
--- a/.github/workflows/cilium-gateway-api.yaml
+++ b/.github/workflows/cilium-gateway-api.yaml
@@ -71,7 +71,7 @@ jobs:
           cilium version
 
       - name: Create kind cluster
-        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
           version: ${{ env.KIND_VERSION }}
           config: '.github/kind-config.yaml'
diff --git a/.github/workflows/cilium-integration-tests.yaml b/.github/workflows/cilium-integration-tests.yaml
index c2ecca464..ebb63b961 100644
--- a/.github/workflows/cilium-integration-tests.yaml
+++ b/.github/workflows/cilium-integration-tests.yaml
@@ -79,14 +79,14 @@ jobs:
           cilium version
 
       - name: Create kind cluster
-        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
           version: ${{ env.KIND_VERSION }}
           config: '.github/kind-config.yaml'
           cluster_name: 'kind'
 
       - name: Install Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           # renovate: datasource=golang-version depName=go
           go-version: 1.25.1
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5cb000da2..947978aa2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
         with:
           languages: ${{ matrix.config.language }}
 
@@ -62,10 +62,10 @@ jobs:
 
       - name: Autobuild
         if: matrix.config.language != 'cpp'
-        uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
+        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
         with:
           category: '/language:${{matrix.config.language}}'
           output: sarif-output-${{ matrix.config.language }}.sarif