diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 191b3a8..053e1a5 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -37,22 +37,22 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0   # full history for accurate Sonar analysis
 
-      - uses: actions/setup-dotnet@v4
+      - uses: actions/setup-dotnet@v5
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
           cache-dependency-path: ${{ env.FRONTEND_DIR }}/package-lock.json
 
       - name: Setup Java (required by Sonar scanner)
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -105,12 +105,12 @@ jobs:
       - name: Publish API
         run: dotnet publish ${{ env.API_PROJECT }} -c Release -o ./publish/api
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: api
           path: ./publish/api
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: frontend
           path: ${{ env.FRONTEND_DIR }}/dist
@@ -127,18 +127,18 @@ jobs:
     timeout-minutes: 25
     environment: production   # add reviewers in repo settings for an approval gate
     steps:
-      - uses: actions/checkout@v4     # source needed to run EF migrations
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@v7     # source needed to run EF migrations
+      - uses: actions/download-artifact@v8
         with: { name: api, path: ./publish/api }
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v8
         with: { name: frontend, path: ./dist }
 
-      - uses: actions/setup-dotnet@v4
+      - uses: actions/setup-dotnet@v5
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Azure login (OIDC)
-        uses: azure/login@v2
+        uses: azure/login@v3
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 12c6435..0d07898 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,15 +28,15 @@ jobs:
           - language: javascript-typescript
             build-mode: none
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
 
       - if: matrix.language == 'csharp'
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '10.0.x'
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -47,6 +47,6 @@ jobs:
         run: dotnet build backend --configuration Release
 
       - name: Analyze
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: '/language:${{ matrix.language }}'