diff --git a/.github/workflows/coverage-comment.yaml b/.github/workflows/coverage-comment.yaml
index 0192fb4d1..e840fa3a5 100644
--- a/.github/workflows/coverage-comment.yaml
+++ b/.github/workflows/coverage-comment.yaml
@@ -26,14 +26,14 @@ jobs:
       
       - name: Upload Coverage Report
         id: upload-report
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: coverage-report
           path: coverage/
           retention-days: 14
 
       - name: Post Comment
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           ARTIFACT_URL: ${{ steps.upload-report.outputs.artifact-url }}
         with:
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index cffe7390d..ba5a4c607 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -26,7 +26,7 @@ jobs:
         run: uv build
 
       - name: Upload distributions
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: release-dists
           path: dist/
@@ -46,6 +46,6 @@ jobs:
           path: dist/
 
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           packages-dir: dist/
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 797f336a6..a9e80a5bd 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -13,7 +13,7 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v4
         with:
           token: ${{ secrets.A2A_BOT_PAT }}
           config-file: release-please-config.json
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 76e372701..35d403aa6 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -12,7 +12,7 @@ jobs:
       contents: read
     steps:
       - name: Perform Bandit Analysis
-        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de # v1
+        uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1
         with:
           severity: medium
           confidence: medium
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 51f8bbc53..d6d0fba9e 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -102,7 +102,7 @@ jobs:
           echo ${{ github.event.pull_request.base.ref || 'main' }} > ./BASE_BRANCH
 
       - name: Upload Coverage Artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: github.event_name == 'pull_request' && matrix.python-version == '3.14'
         with:
           name: coverage-data
@@ -120,7 +120,7 @@ jobs:
         run: uv run pytest --cov=a2a --cov-report term --cov-fail-under=88
 
       - name: Upload Artifact (base)
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: github.event_name != 'pull_request' && matrix.python-version == '3.14'
         with:
           name: coverage-report