diff --git a/.github/workflows/check-pinned-versions.yml b/.github/workflows/check-pinned-versions.yml
index 82fbda0..88b3734 100644
--- a/.github/workflows/check-pinned-versions.yml
+++ b/.github/workflows/check-pinned-versions.yml
@@ -13,7 +13,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Check for unpinned dependency versions
         run: |
diff --git a/.github/workflows/e2e-coverage-bot.yml b/.github/workflows/e2e-coverage-bot.yml
index 2f1e920..01f650f 100644
--- a/.github/workflows/e2e-coverage-bot.yml
+++ b/.github/workflows/e2e-coverage-bot.yml
@@ -43,7 +43,7 @@ jobs:
     steps:
       # Checkout the PR branch using the bot token so git push works
       # and so `gh` CLI inside Claude is authenticated as the bot account
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.head_ref }}
@@ -52,7 +52,7 @@ jobs:
       - name: Fetch base branch
         run: git fetch origin ${{ github.base_ref }}
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '20'
 
diff --git a/.github/workflows/pr-gate.yml b/.github/workflows/pr-gate.yml
index f2363ec..6ebbda3 100644
--- a/.github/workflows/pr-gate.yml
+++ b/.github/workflows/pr-gate.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set validation status
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const labels = context.payload.pull_request.labels.map(l => l.name);
@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Update validation status from E2E result
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const run = context.payload.workflow_run;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a2ab361..c7d5420 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,18 +18,18 @@ jobs:
     if: "!startsWith(github.event.head_commit.message, 'chore(skills): release')"
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GIT_TOKEN }}
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '25.3.0'
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
diff --git a/.github/workflows/spa-pr-validation.yml b/.github/workflows/spa-pr-validation.yml
index d0280a1..5105041 100644
--- a/.github/workflows/spa-pr-validation.yml
+++ b/.github/workflows/spa-pr-validation.yml
@@ -30,13 +30,13 @@ jobs:
       nodes-json: ${{ steps.config.outputs.nodes-json }}
       venv-name: ${{ steps.config.outputs.venv-name }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Detect changes
         id: changes
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
         with:
           filters: |
             app:
@@ -163,12 +163,12 @@ jobs:
     if: always() && needs.acquire-domain.result == 'success'
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '20'
 
@@ -189,7 +189,7 @@ jobs:
       auth-uri: ${{ steps.read-auth.outputs.image-uri }}
     steps:
       - name: Checkout ops
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: iblai/iblai-web-ops
           token: ${{ secrets.GIT_TOKEN || github.token }}
@@ -908,7 +908,7 @@ jobs:
 
       - name: Update PR gate status
         if: always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const passed = '${{ steps.check-results.outcome }}' === 'success';
diff --git a/.github/workflows/test-full-pipeline.yml b/.github/workflows/test-full-pipeline.yml
index 225b51e..f6ac2c6 100644
--- a/.github/workflows/test-full-pipeline.yml
+++ b/.github/workflows/test-full-pipeline.yml
@@ -125,7 +125,7 @@ jobs:
           done
 
       - name: Checkout infra CLI
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: iblai/iblai-infra-cli
           token: ${{ secrets.GIT_TOKEN }}
diff --git a/.github/workflows/trigger-docker-build.yml b/.github/workflows/trigger-docker-build.yml
index cbe9e36..ee7fec6 100644
--- a/.github/workflows/trigger-docker-build.yml
+++ b/.github/workflows/trigger-docker-build.yml
@@ -18,7 +18,7 @@ jobs:
     outputs:
       version: ${{ steps.version.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Extract version from package.json
         id: version