diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 2d6b01e..9347843 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -15,6 +15,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
         run: gh pr merge --auto --squash "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4
+        uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c97bd1b..3056146 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -106,7 +106,7 @@ jobs:
           echo "::set-output name=CLI_VERSION::${{ env.CLI_VERSION }}"
 
       - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+        uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0
         with:
           tag_name: ${{ env.GH_RELEASE_TAG_NAME }}
           generate_release_notes: true
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
index 367fc93..0bc3247 100644
--- a/.github/workflows/update-cli.yml
+++ b/.github/workflows/update-cli.yml
@@ -76,7 +76,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.ast-cli-java-wrapper.outputs.current_tag != steps.ast-cli-java-wrapper.outputs.release_tag
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0
+        uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1
         with:
           token: ${{ secrets.AUTOMATION_TOKEN }}
           commit-message: Update ast-cli-java-wrapper to ${{ steps.ast-cli-java-wrapper.outputs.release_tag }}