diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index acb7f903..60e40cd4 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,14 +32,14 @@ jobs:
               uses: actions/checkout@v6.0.2
 
             - name: Initialize CodeQL
-              uses: github/codeql-action/init@v4.35.5
+              uses: github/codeql-action/init@v4.36.0
               with:
                   languages: ${{ matrix.language }}
 
             - name: Autobuild
-              uses: github/codeql-action/autobuild@v4.35.5
+              uses: github/codeql-action/autobuild@v4.36.0
 
             - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v4.35.5
+              uses: github/codeql-action/analyze@v4.36.0
               with:
                   category: '/language:${{ matrix.language }}'
diff --git a/.github/workflows/main-pr-docker-smoke.yml b/.github/workflows/main-pr-docker-smoke.yml
index 33d3558f..acf09c6e 100644
--- a/.github/workflows/main-pr-docker-smoke.yml
+++ b/.github/workflows/main-pr-docker-smoke.yml
@@ -40,7 +40,7 @@ jobs:
               # `# syntax=docker/dockerfile:1`, `RUN --mount=type=cache,...`,
               # and `RUN --mount=type=secret,...`. Without buildx, those parse
               # as ordinary RUNs and break the build.
-              uses: docker/setup-buildx-action@v4.0.0
+              uses: docker/setup-buildx-action@v4.1.0
 
             - name: Build images
               # `docker compose build` invokes buildx per service. No GHA cache
diff --git a/.github/workflows/metrics.yml b/.github/workflows/metrics.yml
index 4571c201..3144ea7c 100644
--- a/.github/workflows/metrics.yml
+++ b/.github/workflows/metrics.yml
@@ -19,7 +19,7 @@ jobs:
         steps:
             # https://github.com/lowlighter/metrics/tree/master/source/plugins/pagespeed
             - name: 'metrics: pagespeed'
-              uses: lowlighter/metrics@v3.34
+              uses: lowlighter/metrics@v4
               with:
                   token: NOT_NEEDED
                   committer_branch: metrics
diff --git a/.github/workflows/release.docker.yml b/.github/workflows/release.docker.yml
index 859d68cb..c5476f86 100644
--- a/.github/workflows/release.docker.yml
+++ b/.github/workflows/release.docker.yml
@@ -18,17 +18,17 @@ jobs:
               uses: actions/checkout@v6.0.2
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v4.0.0
+              uses: docker/setup-buildx-action@v4.1.0
 
             - name: Log in to GitHub Container Registry
-              uses: docker/login-action@v4.1.0
+              uses: docker/login-action@v4.2.0
               with:
                   registry: ghcr.io
                   username: ${{ github.actor }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Build and push Docker image
-              uses: docker/build-push-action@v7.1.0
+              uses: docker/build-push-action@v7.2.0
               with:
                   context: .
                   file: ./Dockerfile.app
@@ -63,17 +63,17 @@ jobs:
               uses: actions/checkout@v6.0.2
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v4.0.0
+              uses: docker/setup-buildx-action@v4.1.0
 
             - name: Log in to GitHub Container Registry
-              uses: docker/login-action@v4.1.0
+              uses: docker/login-action@v4.2.0
               with:
                   registry: ghcr.io
                   username: ${{ github.actor }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Build and push MIGRATE image
-              uses: docker/build-push-action@v7.1.0
+              uses: docker/build-push-action@v7.2.0
               with:
                   context: .
                   file: ./Dockerfile.migrate
diff --git a/.github/workflows/staging.docker.yml b/.github/workflows/staging.docker.yml
index 7c6f5962..f4cfaa24 100644
--- a/.github/workflows/staging.docker.yml
+++ b/.github/workflows/staging.docker.yml
@@ -49,17 +49,17 @@ jobs:
               uses: actions/checkout@v6.0.2
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v4.0.0
+              uses: docker/setup-buildx-action@v4.1.0
 
             - name: Log in to GitHub Container Registry
-              uses: docker/login-action@v4.1.0
+              uses: docker/login-action@v4.2.0
               with:
                   registry: ghcr.io
                   username: ${{ github.actor }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Build and push MIGRATE
-              uses: docker/build-push-action@v7.1.0
+              uses: docker/build-push-action@v7.2.0
               with:
                   context: .
                   file: ./Dockerfile.migrate
@@ -75,17 +75,17 @@ jobs:
               uses: actions/checkout@v6.0.2
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v4.0.0
+              uses: docker/setup-buildx-action@v4.1.0
 
             - name: Log in to GitHub Container Registry
-              uses: docker/login-action@v4.1.0
+              uses: docker/login-action@v4.2.0
               with:
                   registry: ghcr.io
                   username: ${{ github.actor }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Build and push APP
-              uses: docker/build-push-action@v7.1.0
+              uses: docker/build-push-action@v7.2.0
               with:
                   context: .
                   file: ./Dockerfile.app