diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bdd2ebe2977..e4b73ba66ae 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -82,7 +82,7 @@ jobs:
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Set up node and yarn
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         with:
           node-version: 14
           cache: yarn
@@ -98,7 +98,7 @@ jobs:
           echo "${PKG_NAME} copyright year is ${PKG_COPYRIGHT_YEAR}"
           cd ui && make && cd ..
       - name: Save assets to cache
-        uses: actions/cache/save@v3 # TSCCR: no version of actions/cache trusts nested action "save"
+        uses: actions/cache/save@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/dist/assets
           key: ui_assets_${{ github.sha }}
@@ -116,7 +116,7 @@ jobs:
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
       - name: Restore ui assets
-        uses: actions/cache/restore@v3 # TSCCR: no version of actions/cache trusts nested action "restore"
+        uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/dist/assets
           key: ui_assets_${{ github.sha }}
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
index 2af1709cae0..f48dec210a9 100644
--- a/.github/workflows/frontend.yml
+++ b/.github/workflows/frontend.yml
@@ -24,7 +24,7 @@ jobs:
             ui/node_modules
             ui/lib/node_modules
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         if: steps.ui-cache.outputs.cache-hit == false
         with:
           node-version: 14
@@ -41,7 +41,7 @@ jobs:
       - frontend-cache
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         with:
           node-version: 14
 
@@ -65,7 +65,7 @@ jobs:
       - frontend-cache
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         with:
           node-version: 14
 
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 988ad4889ff..792ab68c031 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -26,7 +26,7 @@ jobs:
             ui/lib/node_modules
             ui/dist/
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         if: steps.ui-cache.outputs.cache-hit == false
         with:
           node-version: 14
diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml
index f0a86468c43..23b8e48bd42 100644
--- a/.github/workflows/jira.yml
+++ b/.github/workflows/jira.yml
@@ -16,7 +16,7 @@ jobs:
     if: contains(github.event.label.name, 'jira')
     steps:
       - name: Login
-        uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # v3.0.1
+        uses: atlassian/gajira-login@ca13f8850ea309cf44a6e4e0c49d9aa48ac3ca4c # v3
         env:
           JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
           JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@@ -77,13 +77,13 @@ jobs:
           comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}"
       - name: Close ticket
         if: ( github.event.action == 'closed' || github.event.action == 'deleted' ) && steps.search.outputs.issue
-        uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3
+        uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b # v3
         with:
           issue: ${{ steps.search.outputs.issue }}
           transition: "Closed"
       - name: Reopen ticket
         if: github.event.action == 'reopened' && steps.search.outputs.issue
-        uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3
+        uses: atlassian/gajira-transition@4749176faf14633954d72af7a44d7f2af01cc92b # v3
         with:
           issue: ${{ steps.search.outputs.issue }}
           transition: "Pending Triage"
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 346a32215ac..df1a355addb 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,7 +7,7 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@9fcb2c2f5584144ca754f8bfe8c6f81e77753375 # v4.1.0
+      - uses: actions/labeler@0967ca812e7fdc8f5f71402a1b486d5bd061fe20 # v4.2.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"