diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a72f195c7..8f418bfbb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,14 +23,16 @@ jobs:
           go-version: "1.25"
       - run: go list -json > go.list
       - name: Run nancy
-        uses: sonatype-nexus-community/nancy-github-action@v1.0.2
+        uses: sonatype-nexus-community/nancy-github-action@v1.0.3
       - name: Run golangci-lint
+        if: ${{ github.ref_type != 'tag' }}
         uses: golangci/golangci-lint-action@v8
         env:
           GOGC: 100
         with:
           args: --timeout 10m0s
           version: latest
+          only-new-issues: "true"
       - name: Run go-acc (tests)
         run: |
           make .bin/go-acc
diff --git a/.github/workflows/conventional_commits.yml b/.github/workflows/conventional_commits.yml
index 84171dbf2..eb4d187f3 100644
--- a/.github/workflows/conventional_commits.yml
+++ b/.github/workflows/conventional_commits.yml
@@ -46,7 +46,7 @@ jobs:
             deps
             docs
           default_require_scope: false
-      - uses: amannn/action-semantic-pull-request@v4
+      - uses: amannn/action-semantic-pull-request@v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
index a42e93ca1..4d342247a 100644
--- a/.github/workflows/cve-scan.yaml
+++ b/.github/workflows/cve-scan.yaml
@@ -81,7 +81,7 @@ jobs:
           echo "::endgroup::"
       - name: Anchore upload scan SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
       - name: Kubescape scanner
@@ -117,7 +117,7 @@ jobs:
           exit-code: 42
           failure-threshold: high
       - name: Hadolint
-        uses: hadolint/hadolint-action@v3.1.0
+        uses: hadolint/hadolint-action@v3.3.0
         id: hadolint
         if: ${{ always() }}
         with:
diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml
index d5e76cee4..ccf262390 100644
--- a/.github/workflows/milestone.yml
+++ b/.github/workflows/milestone.yml
@@ -24,7 +24,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           outputFile: docs/docs/milestones.md
       - name: Commit Milestone Documentation
-        uses: EndBug/add-and-commit@v4.4.0
+        uses: EndBug/add-and-commit@v9.1.4
         with:
           message: "autogen(docs): update milestone document"
           author_name: aeneasr
diff --git a/.github/workflows/pm.yml b/.github/workflows/pm.yml
index 0c69d71b7..cec5a917c 100644
--- a/.github/workflows/pm.yml
+++ b/.github/workflows/pm.yml
@@ -16,14 +16,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: ory-corp/planning-automation-action@v0.1
+      - uses: ory-corp/planning-automation-action@v0.2
         with:
           organization: ory-corp
           project: 5
           token: ${{ secrets.ORY_BOT_PAT }}
           todoLabel: "Needs Triage"
           statusName: Status
-          statusValue: "Needs Triage"
+          prStatusValue: "Needs Triage"
+          issueStatusValue: "Needs Triage"
           includeEffort: "false"
           monthlyMilestoneName: Roadmap Monthly
           quarterlyMilestoneName: Roadmap