diff --git a/.github/workflows/codeql-actions.yml b/.github/workflows/codeql-actions.yml
index e86f58c7a..dd4f1551e 100644
--- a/.github/workflows/codeql-actions.yml
+++ b/.github/workflows/codeql-actions.yml
@@ -29,7 +29,7 @@ jobs:
       packages: read
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         fetch-depth: 0
         ref: ${{ inputs.ref }}
@@ -37,7 +37,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
+      uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3
       with:
         languages: actions
         build-mode: none
@@ -45,6 +45,6 @@ jobs:
         queries: security-extended
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
+      uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3
       with:
         category: "/language:actions"
diff --git a/.github/workflows/codeql-python.yml b/.github/workflows/codeql-python.yml
index 8b40b5f7a..f1de8f1e5 100644
--- a/.github/workflows/codeql-python.yml
+++ b/.github/workflows/codeql-python.yml
@@ -31,7 +31,7 @@ jobs:
       packages: read
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         fetch-depth: 0
         ref: ${{ inputs.ref }}
@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
+      uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3
       with:
         languages: python
         build-mode: none
@@ -61,6 +61,6 @@ jobs:
         pip install dist/*.whl
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
+      uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3
       with:
         category: "/language:python"
diff --git a/.github/workflows/dist-python.yml b/.github/workflows/dist-python.yml
index de5d7dc69..f9801e9fc 100644
--- a/.github/workflows/dist-python.yml
+++ b/.github/workflows/dist-python.yml
@@ -39,7 +39,7 @@ jobs:
 
     steps:  
       - name: Checkout libmongocrypt
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref }}
diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml
index c4356e7a2..9a40e22b8 100644
--- a/.github/workflows/test-python.yml
+++ b/.github/workflows/test-python.yml
@@ -23,7 +23,7 @@ jobs:
     if: github.repository_owner == 'mongodb'
     runs-on: ubuntu-latest
     steps:
-     - uses: actions/checkout@v4
+     - uses: actions/checkout@v5
        with:
         persist-credentials: false
      - uses: actions/setup-python@v5
@@ -46,7 +46,7 @@ jobs:
         python-version: ["3.9", "3.13", "3.14"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 09743a368..49e996d21 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -14,8 +14,8 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@383d31df2eb66a2f42db98c9654bdc73231f3e3a
\ No newline at end of file
+        uses: zizmorcore/zizmor-action@7f2abfff7488a44086dba64ed2f5a9b431508079
\ No newline at end of file