diff --git a/github-actions-staging.Dockerfile b/github-actions-staging.Dockerfile
index 36b13a98..7d907026 100644
--- a/github-actions-staging.Dockerfile
+++ b/github-actions-staging.Dockerfile
@@ -2,7 +2,7 @@
 # difference is that it consumes ./bin/github-actions (built by welder) instead
 # of dist/github-actions (built by CI). Keep the two files in sync.
 
-FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder
+FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS builder
 
 RUN apk update && apk upgrade --no-cache \
     && apk add --no-cache curl bash binutils upx ca-certificates tar python3 \
@@ -73,7 +73,7 @@ RUN rm -rf \
     && rm -rf /tmp/* /var/tmp/*
 
 # ── runtime ─────────────────────────────────────────────────────────────────
-FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
+FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
 
 RUN apk update && apk upgrade --no-cache \
     && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 \
diff --git a/github-actions.Dockerfile b/github-actions.Dockerfile
index 36f53d2e..e279aae6 100644
--- a/github-actions.Dockerfile
+++ b/github-actions.Dockerfile
@@ -5,7 +5,7 @@
 # git ops. HEALTHCHECK omitted: one-shot action, never long-running.
 
 # Refresh: docker buildx imagetools inspect alpine:3.21
-FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder
+FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS builder
 
 # python3 needed so `gcloud components install` doesn't fall back to (and recreate) the bundled Python we want to delete.
 RUN apk update && apk upgrade --no-cache \
@@ -84,7 +84,7 @@ RUN rm -rf \
     && rm -rf /tmp/* /var/tmp/*
 
 # ── runtime ─────────────────────────────────────────────────────────────────
-FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
+FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
 
 # python3 stays — gcloud invokes it. py3-pip / binutils / upx confined to builder.
 RUN apk update && apk upgrade --no-cache \