diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 39048dc01b..a566eb9e41 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -48,17 +48,6 @@ jobs:
     name: Rust Format
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout the latest code
-        id: git_checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Setup Rust Toolchain
-        id: setup_rust_toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@f3c84ee10bf5a86e7a5d607d487bf17d57670965 # v1.5.0
-        with:
-          components: rustfmt
-          cache: false
-
       - name: Rustfmt
         id: rustfmt
         uses: stacks-network/actions/rustfmt@main
diff --git a/.github/workflows/clarity-js-sdk-pr.yml b/.github/workflows/clarity-js-sdk-pr.yml
index 4523808410..6bcd555ca9 100644
--- a/.github/workflows/clarity-js-sdk-pr.yml
+++ b/.github/workflows/clarity-js-sdk-pr.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: Checkout latest clarity js sdk
         id: git_checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           token: ${{ secrets.GH_TOKEN }}
           repository: ${{ env.CLARITY_JS_SDK_REPOSITORY }}
@@ -46,7 +46,7 @@ jobs:
 
       - name: Create Pull Request
         id: create_pr
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
         with:
           token: ${{ secrets.GH_TOKEN }}
           commit-message: "chore: update clarity-native-bin tag"
diff --git a/.github/workflows/docs-pr.yml b/.github/workflows/docs-pr.yml
index 7543bdd750..8b005e0402 100644
--- a/.github/workflows/docs-pr.yml
+++ b/.github/workflows/docs-pr.yml
@@ -36,7 +36,7 @@ jobs:
     steps:
       - name: Checkout the latest code
         id: git_checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: Build docs
         id: build_docs
@@ -46,7 +46,7 @@ jobs:
 
       - name: Checkout latest docs
         id: git_checkout_docs
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           token: ${{ secrets.DOCS_GITHUB_TOKEN }}
           repository: ${{ env.TARGET_REPOSITORY }}
@@ -77,7 +77,7 @@ jobs:
       - name: Open PR
         id: open_pr
         if: ${{ steps.push.outputs.open_pr == '1' }}
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.DOCS_GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
index 02243c4cbf..0c8c19176a 100644
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -48,20 +48,23 @@ jobs:
       ## Downloads the artifacts built in `create-source-binary.yml`
       - name: Download Artifacts
         id: download_artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
-          name: artifact
+          pattern: ${{ inputs.tag }}-binary-build-*
           path: release
+          merge-multiple: true
 
       ## Generate a checksums file to be added to the release page
       - name: Generate Checksums
         id: generate_checksum
         uses: stacks-network/actions/generate-checksum@main
+        with:
+          artifact_download_pattern: "${{ inputs.tag }}-binary-build-*"
 
       ## Upload the release archives with the checksums file
       - name: Upload Release
         id: upload_release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v0.1.15
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 #v2.0.5
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         with:
diff --git a/.github/workflows/image-build-binary.yml b/.github/workflows/image-build-binary.yml
index 74415e7f16..23e75892fe 100644
--- a/.github/workflows/image-build-binary.yml
+++ b/.github/workflows/image-build-binary.yml
@@ -62,7 +62,7 @@ jobs:
       ## ex. debian will have this tag: `type=ref,event=tag,enable=${{ matrix.dist == 'debian' }}`
       - name: Docker Metadata ( ${{matrix.dist}} )
         id: docker_metadata
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5.0.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1
         with:
           ## tag images with current repo name `stacks-core` as well as legacy `stacks-blockchain`
           images: |
@@ -79,7 +79,7 @@ jobs:
       ## Build docker image for release
       - name: Build and Push ( ${{matrix.dist}} )
         id: docker_build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           file: ./.github/actions/dockerfiles/Dockerfile.${{ matrix.dist }}-binary
           platforms: ${{ env.docker_platforms }}
diff --git a/.github/workflows/image-build-source.yml b/.github/workflows/image-build-source.yml
index ebb9afc679..e45455f05b 100644
--- a/.github/workflows/image-build-source.yml
+++ b/.github/workflows/image-build-source.yml
@@ -49,7 +49,7 @@ jobs:
       ## Set docker metatdata
       - name: Docker Metadata ( ${{matrix.dist}} )
         id: docker_metadata
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 #v5.0.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1
         with:
           images: |
             ${{env.docker-org}}/${{ github.event.repository.name }}
@@ -61,7 +61,7 @@ jobs:
       ## Build docker image
       - name: Build and Push ( ${{matrix.dist}} )
         id: docker_build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           file: ./.github/actions/dockerfiles/Dockerfile.${{matrix.dist}}-source
           platforms: ${{ env.docker_platforms }}
diff --git a/.github/workflows/stacks-core-tests.yml b/.github/workflows/stacks-core-tests.yml
index 3195f279fc..70ef457ce7 100644
--- a/.github/workflows/stacks-core-tests.yml
+++ b/.github/workflows/stacks-core-tests.yml
@@ -127,7 +127,7 @@ jobs:
       ## checkout the code
       - name: Checkout the latest code
         id: git_checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: Run network relay tests
         id: nettest
@@ -145,10 +145,10 @@ jobs:
     steps:
       - name: Checkout the latest code
         id: git_checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Execute core contract unit tests with clarinet-sdk
         id: clarinet_unit_test
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18.x
           cache: "npm"
@@ -174,7 +174,7 @@ jobs:
     steps:
       - name: Checkout the latest code
         id: git_checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Execute core contract unit tests in Clarinet
         id: clarinet_unit_test_v1
         uses: docker://hirosystems/clarinet:1.7.1