diff --git a/.github/workflows/main-promote-builder-image.yml b/.github/workflows/main-promote-builder-image.yml
index 556496e6f..b149c7ca0 100644
--- a/.github/workflows/main-promote-builder-image.yml
+++ b/.github/workflows/main-promote-builder-image.yml
@@ -16,7 +16,7 @@ jobs:
         password: ${{ secrets.github_token }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fixup git permissions
         # https://github.com/actions/checkout/issues/766
         shell: bash
diff --git a/.github/workflows/pr-e2e.yaml b/.github/workflows/pr-e2e.yaml
index 3f629cabf..3f0e41e0b 100644
--- a/.github/workflows/pr-e2e.yaml
+++ b/.github/workflows/pr-e2e.yaml
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 8e6b39770..6ff2410f1 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -20,7 +20,7 @@ jobs:
         password: ${{ secrets.github_token }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml
index 7765055e9..c262b5ef6 100644
--- a/.github/workflows/pr-verify.yml
+++ b/.github/workflows/pr-verify.yml
@@ -16,7 +16,7 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
diff --git a/.github/workflows/report-bin-size.yml b/.github/workflows/report-bin-size.yml
index bf9387ec7..4e5c8759b 100644
--- a/.github/workflows/report-bin-size.yml
+++ b/.github/workflows/report-bin-size.yml
@@ -9,7 +9,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fixup git permissions
         # https://github.com/actions/checkout/issues/766
         shell: bash
diff --git a/.github/workflows/schedule-link-checker.yml b/.github/workflows/schedule-link-checker.yml
index 1ecdcca9a..be50f9909 100644
--- a/.github/workflows/schedule-link-checker.yml
+++ b/.github/workflows/schedule-link-checker.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Generate Token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1
diff --git a/.github/workflows/schedule-scan-image.yml b/.github/workflows/schedule-scan-image.yml
index 51a6f968a..5b2a6e581 100644
--- a/.github/workflows/schedule-scan-image.yml
+++ b/.github/workflows/schedule-scan-image.yml
@@ -15,7 +15,7 @@ jobs:
         password: ${{ secrets.github_token }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Fixup git permissions
         # https://github.com/actions/checkout/issues/766
         shell: bash
diff --git a/.github/workflows/schedule-update-bot.yaml b/.github/workflows/schedule-update-bot.yaml
index c68c25584..c6ee5d879 100644
--- a/.github/workflows/schedule-update-bot.yaml
+++ b/.github/workflows/schedule-update-bot.yaml
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Generate Token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1
@@ -44,7 +44,7 @@ jobs:
           echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "$GITHUB_ENV"
 
       - name: Renovate
-        uses: renovatebot/github-action@c3216113121a7c690027cd21eaad8a318c58bbcd # v38.1.4
+        uses: renovatebot/github-action@8dd353442b603b79e9ad46ebd25bdac25d67ccfa # v38.1.13
         env:
           RENOVATE_HOST_RULES: '[{"hostType": "docker", "matchHost": "ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
           RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '[".*"]'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 27ec2cc7a..12deaa290 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,7 +29,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Coverage result name
         id: name
         run: |