diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index bdfd5b1..75aca5d 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -69,7 +69,7 @@ jobs:
         # protected branches require CODECOV_TOKEN to upload, and we don't want
         # a missing token to fail a PR. Set CODECOV_TOKEN in repo secrets to
         # turn the upload into a hard gate again.
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@v6.0.1
         with:
           files: ./coverage.xml
           flags: r
diff --git a/.github/workflows/test-coverage.yaml b/.github/workflows/test-coverage.yaml
index fcbff56..53e1c01 100644
--- a/.github/workflows/test-coverage.yaml
+++ b/.github/workflows/test-coverage.yaml
@@ -36,7 +36,7 @@ jobs:
           covr::to_cobertura(cov)
         shell: Rscript {0}
 
-      - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+      - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
           # Fail if error if not on PR, or if on PR and token is given
           fail_ci_if_error: ${{ github.event_name != 'pull_request' || secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/valgrind.yaml b/.github/workflows/valgrind.yaml
index 78e3e93..8e8d631 100644
--- a/.github/workflows/valgrind.yaml
+++ b/.github/workflows/valgrind.yaml
@@ -91,7 +91,7 @@ jobs:
 
       - name: Upload valgrind log
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: valgrind-log
           path: ${{ runner.temp }}/valgrind.log