diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a202c00..91c180f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,14 +10,14 @@ jobs:
   lint-and-test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     - name: Check Python files
       run: |
         find . -name "*.py" -type f | head -10
 
     - name: Setup Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: '3.11'
 
@@ -37,7 +37,7 @@ jobs:
   documentation:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     - name: Check README exists
       run: |
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index 44942df..7c8bef3 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -10,7 +10,7 @@ jobs:
     if: ${{ github.actor == 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v9
         id: files
         with:
           script: |
@@ -34,7 +34,7 @@ jobs:
             const bad = files.map(f => f.filename).filter(p => !allowed.some(re => re.test(p)));
             core.setOutput('ok', bad.length === 0 ? 'true' : 'false');
             if (bad.length > 0) core.notice(`Skipping auto-merge; disallowed files: ${bad.join(', ')}`);
-      - uses: dependabot/fetch-metadata@v2
+      - uses: dependabot/fetch-metadata@v3
         id: metadata
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"