diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 394e47a..aa01c65 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     - name: Check project structure
       run: |
@@ -20,7 +20,7 @@ jobs:
   security:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     - name: Basic security scan
       run: |
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index 44942df..7c8bef3 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -10,7 +10,7 @@ jobs:
     if: ${{ github.actor == 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v9
         id: files
         with:
           script: |
@@ -34,7 +34,7 @@ jobs:
             const bad = files.map(f => f.filename).filter(p => !allowed.some(re => re.test(p)));
             core.setOutput('ok', bad.length === 0 ? 'true' : 'false');
             if (bad.length > 0) core.notice(`Skipping auto-merge; disallowed files: ${bad.join(', ')}`);
-      - uses: dependabot/fetch-metadata@v2
+      - uses: dependabot/fetch-metadata@v3
         id: metadata
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"