diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fbfb80ab..a5d6d5fe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,7 +41,7 @@ jobs:
     name: Lint & Type Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4
 
@@ -173,7 +173,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
@@ -274,7 +274,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
@@ -374,7 +374,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
@@ -417,7 +417,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
@@ -493,7 +493,7 @@ jobs:
       - name: Make binaries executable
         run: chmod +x vf-agent-linux-*
 
-      - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+      - uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
         with:
           generate_release_notes: true
           files: |
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9cd72442..21bb2f37 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,7 +29,7 @@ jobs:
       packages: read
       security-events: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: github/codeql-action/init@53e96ec3b35fce51c141c0d6f0e31028a448722d # v3
         with:
@@ -51,7 +51,7 @@ jobs:
       packages: read
       security-events: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
diff --git a/.github/workflows/dr-verify.yml b/.github/workflows/dr-verify.yml
index 6f27357d..cdafd978 100644
--- a/.github/workflows/dr-verify.yml
+++ b/.github/workflows/dr-verify.yml
@@ -33,7 +33,7 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 3145e3fc..50d4cac6 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -44,7 +44,7 @@ jobs:
       VF_WEBAUTHN_RP_ID: localhost
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 58409f04..e2e25c4a 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -36,7 +36,7 @@ jobs:
     name: Path-Based Labels
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/labeler@v6
         with:
           sync-labels: false
diff --git a/.github/workflows/prisma-migration-checklist.yml b/.github/workflows/prisma-migration-checklist.yml
index e10752e2..853d006c 100644
--- a/.github/workflows/prisma-migration-checklist.yml
+++ b/.github/workflows/prisma-migration-checklist.yml
@@ -26,7 +26,7 @@ jobs:
     name: Require migration checklist
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/smoke-e2e.yml b/.github/workflows/smoke-e2e.yml
index 368aaa79..3b92842d 100644
--- a/.github/workflows/smoke-e2e.yml
+++ b/.github/workflows/smoke-e2e.yml
@@ -54,7 +54,7 @@ jobs:
       ENCRYPTION_KEY: e2e-test-encryption-key-32chars!!
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/verify-audit-chain.yml b/.github/workflows/verify-audit-chain.yml
index b874572f..92fa07bc 100644
--- a/.github/workflows/verify-audit-chain.yml
+++ b/.github/workflows/verify-audit-chain.yml
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/verify-indexes.yml b/.github/workflows/verify-indexes.yml
index ad777490..8ebbf9ed 100644
--- a/.github/workflows/verify-indexes.yml
+++ b/.github/workflows/verify-indexes.yml
@@ -53,7 +53,7 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/verify-pgbouncer-leak.yml b/.github/workflows/verify-pgbouncer-leak.yml
index 3da8baee..a7e579b6 100644
--- a/.github/workflows/verify-pgbouncer-leak.yml
+++ b/.github/workflows/verify-pgbouncer-leak.yml
@@ -49,7 +49,7 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/verify-rls.yml b/.github/workflows/verify-rls.yml
index 75a606da..f5e6a30f 100644
--- a/.github/workflows/verify-rls.yml
+++ b/.github/workflows/verify-rls.yml
@@ -56,7 +56,7 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
diff --git a/.github/workflows/verify-tenancy.yml b/.github/workflows/verify-tenancy.yml
index e5dfe1e1..b5bff569 100644
--- a/.github/workflows/verify-tenancy.yml
+++ b/.github/workflows/verify-tenancy.yml
@@ -75,7 +75,7 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
@@ -124,7 +124,7 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4
 
@@ -161,7 +161,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: pnpm/action-setup@v4