From 0cda04fc931ccbd4489850707fe46a8de363a4ea Mon Sep 17 00:00:00 2001
From: bussyjd <jd@obol.tech>
Date: Sun, 24 May 2026 23:14:15 +0400
Subject: [PATCH 1/3] fix(renovate): track frontend docker rc images

---
 .github/workflows/renovate.yml |  4 ++--
 renovate.json                  | 33 +++++++++------------------------
 2 files changed, 11 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 48ba1542..cacb5df8 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -2,7 +2,7 @@ name: Renovate
 
 on:
   schedule:
-    - cron: "0 0 * * *" # every day
+    - cron: "0 * * * *" # hourly
   workflow_dispatch:
     inputs:
       dry_run:
@@ -28,7 +28,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Renovate
-        uses: renovatebot/github-action@a4df0f50ee02c2fc7b4b8f8aa4a3ff6929fa4fc1 # v46.1.13
+        uses: renovatebot/github-action@79dc0ba74dc3de28db0a7aeb1d0b95d5bf5fde2a # v46.1.13
         env:
           LOG_LEVEL: debug
           RENOVATE_DRY_RUN: ${{ github.event.inputs.dry_run == 'true' && 'full' || '' }}
diff --git a/renovate.json b/renovate.json
index 4f258dfe..1317c83f 100644
--- a/renovate.json
+++ b/renovate.json
@@ -10,15 +10,14 @@
   "customManagers": [
     {
       "customType": "regex",
-      "description": "Update obol-stack-front-end version from GitHub releases",
+      "description": "Update obol-stack-front-end Docker image tag and digest",
       "matchStrings": [
-        "tag:\\s*[\"'](?<currentValue>v[0-9]+\\.[0-9]+\\.[0-9]+(?:-rc\\.[0-9]+)?)[\"']"
+        "repository:\\s*(?<depName>obolnetwork/obol-stack-front-end)\\s*\\n\\s*pullPolicy:\\s*[^\\n]+\\n(?:\\s*#.*\\n)*\\s*tag:\\s*[\"']?(?<currentValue>v?[0-9]+\\.[0-9]+\\.[0-9]+(?:-[A-Za-z0-9.]+)?)(?:@(?<currentDigest>sha256:[a-f0-9]+))?[\"']?"
       ],
       "fileMatch": [
         "^internal/embed/infrastructure/values/obol-frontend\\.yaml\\.gotmpl$"
       ],
-      "datasourceTemplate": "github-releases",
-      "depNameTemplate": "ObolNetwork/obol-stack-front-end",
+      "datasourceTemplate": "docker",
       "versioningTemplate": "semver"
     },
     {
@@ -145,39 +144,34 @@
       "matchFileNames": [
         ".github/workflows/**"
       ],
-      "schedule": [
-        "every hour"
-      ],
       "labels": [
         "renovate/github-actions"
       ],
       "groupName": "GitHub Actions updates"
     },
     {
-      "description": "Group obol-stack-front-end updates",
+      "description": "Group obol-stack-front-end Docker image updates",
       "matchDatasources": [
-        "github-releases"
+        "docker"
       ],
       "matchPackageNames": [
-        "ObolNetwork/obol-stack-front-end"
+        "obolnetwork/obol-stack-front-end"
       ],
       "labels": [
         "renovate/frontend",
         "obol-stack-front-end"
       ],
-      "schedule": [
-        "every hour"
-      ],
       "groupName": "obol-stack-front-end updates",
+      "pinDigests": true,
       "prBodyTemplate": "This PR updates **obol-stack-front-end** to version {{newVersion}}.\n\n### What Changed\n- **Current Version**: `{{currentVersion}}`\n- **New Version**: `{{newVersion}}`\n- **Change Type**: {{#if isMajor}}🔴 Major{{else}}{{#if isMinor}}🟡 Minor{{else}}🟢 Patch{{/if}}{{/if}}\n\n### Release Notes\n\n{{{changelog}}}\n\n### Files Updated\n{{#each upgrades}}- `{{depName}}`: `{{currentVersion}}` → `{{newVersion}}`\n{{/each}}\n\n---\n**Auto-generated by Renovate Bot**"
     },
     {
       "description": "Require approval for major obol-stack-front-end updates",
       "matchDatasources": [
-        "github-releases"
+        "docker"
       ],
       "matchPackageNames": [
-        "ObolNetwork/obol-stack-front-end"
+        "obolnetwork/obol-stack-front-end"
       ],
       "matchUpdateTypes": [
         "major"
@@ -200,9 +194,6 @@
       "labels": [
         "renovate/openclaw"
       ],
-      "schedule": [
-        "every hour"
-      ],
       "groupName": "OpenClaw updates"
     },
     {
@@ -217,9 +208,6 @@
         "renovate/remote-signer",
         "remote-signer"
       ],
-      "schedule": [
-        "every hour"
-      ],
       "groupName": "remote-signer chart updates",
       "prBodyTemplate": "This PR updates the **remote-signer** Helm chart (pinned in `internal/openclaw/openclaw.go`).\n\n### What Changed\n- **Current Version**: `{{currentVersion}}`\n- **New Version**: `{{newVersion}}`\n- **Change Type**: {{#if isMajor}}🔴 Major{{else}}{{#if isMinor}}🟡 Minor{{else}}🟢 Patch{{/if}}{{/if}}\n\n### Release Notes\n\n{{{changelog}}}\n\n---\n**Auto-generated by Renovate Bot**"
     },
@@ -251,9 +239,6 @@
       "labels": [
         "renovate/openclaw-chart"
       ],
-      "schedule": [
-        "every hour"
-      ],
       "groupName": "openclaw chart updates"
     },
     {

From b73fcb0f4ba4491e278e393c4ff62a8cc9fd25c3 Mon Sep 17 00:00:00 2001
From: bussyjd <jd@obol.tech>
Date: Sun, 24 May 2026 23:16:55 +0400
Subject: [PATCH 2/3] fix(renovate): run against repository

---
 .github/workflows/renovate.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index cacb5df8..a7e0d310 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -32,5 +32,7 @@ jobs:
         env:
           LOG_LEVEL: debug
           RENOVATE_DRY_RUN: ${{ github.event.inputs.dry_run == 'true' && 'full' || '' }}
+          RENOVATE_REPOSITORIES: ${{ github.repository }}
+          RENOVATE_BASE_BRANCHES: ${{ github.ref_name }}
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

From d6544579801a7bc0d4a45bb7341244e40d637327 Mon Sep 17 00:00:00 2001
From: bussyjd <jd@obol.tech>
Date: Sun, 24 May 2026 23:23:56 +0400
Subject: [PATCH 3/3] fix(actions): update sha-pinned workflow actions

---
 .github/workflows/docker-publish-openclaw.yml | 32 +++++++++----------
 .../workflows/docker-publish-storefront.yml   | 16 +++++-----
 .github/workflows/docker-publish-x402.yml     | 16 +++++-----
 .github/workflows/gitleaks.yml                |  8 +++--
 .github/workflows/helm-template-smoke.yml     |  4 +--
 .github/workflows/lint-test.yaml              | 16 +++++-----
 .github/workflows/release.yml                 | 26 ++++++++-------
 .github/workflows/renovate.yml                |  4 +--
 8 files changed, 64 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml
index 55a774c6..cbe8e398 100644
--- a/.github/workflows/docker-publish-openclaw.yml
+++ b/.github/workflows/docker-publish-openclaw.yml
@@ -42,7 +42,7 @@ jobs:
 
     steps:
       - name: Checkout obol-stack
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Resolve versions and check for updates
         id: check
@@ -103,23 +103,23 @@ jobs:
 
     steps:
       - name: Checkout obol-stack
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Checkout upstream OpenClaw
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: openclaw/openclaw
           ref: ${{ needs.check-upstream.outputs.openclaw_version }}
           path: openclaw-src
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -127,7 +127,7 @@ jobs:
 
       - name: Extract base image metadata
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }}
           tags: |
@@ -142,7 +142,7 @@ jobs:
             org.opencontainers.image.version=${{ needs.check-upstream.outputs.openclaw_version }}
 
       - name: Build and push base image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: openclaw-src
           platforms: linux/amd64,linux/arm64
@@ -164,16 +164,16 @@ jobs:
 
     steps:
       - name: Checkout obol-stack
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -181,7 +181,7 @@ jobs:
 
       - name: Extract final image metadata
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -197,7 +197,7 @@ jobs:
             org.opencontainers.image.version=${{ needs.check-upstream.outputs.openclaw_version }}
 
       - name: Build and push final image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           file: docker/openclaw/Dockerfile
@@ -224,7 +224,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           format: 'sarif'
@@ -232,7 +232,7 @@ jobs:
           severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1 # main
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: 'trivy-results.sarif'
         if: always()
diff --git a/.github/workflows/docker-publish-storefront.yml b/.github/workflows/docker-publish-storefront.yml
index f78721fc..3e7941f9 100644
--- a/.github/workflows/docker-publish-storefront.yml
+++ b/.github/workflows/docker-publish-storefront.yml
@@ -28,16 +28,16 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -45,7 +45,7 @@ jobs:
 
       - name: Extract image metadata
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.REGISTRY }}/obolnetwork/obol-stack-public-storefront
           tags: |
@@ -68,7 +68,7 @@ jobs:
             org.opencontainers.image.source=https://github.com/ObolNetwork/obol-stack
 
       - name: Build and push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           file: Dockerfile.public-storefront
@@ -89,7 +89,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           image-ref: ${{ env.REGISTRY }}/obolnetwork/obol-stack-public-storefront:${{ github.sha }}
           format: 'sarif'
@@ -97,7 +97,7 @@ jobs:
           severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1 # main
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: 'trivy-results.sarif'
         if: always()
diff --git a/.github/workflows/docker-publish-x402.yml b/.github/workflows/docker-publish-x402.yml
index f66e7b46..5c2feb79 100644
--- a/.github/workflows/docker-publish-x402.yml
+++ b/.github/workflows/docker-publish-x402.yml
@@ -63,16 +63,16 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -80,7 +80,7 @@ jobs:
 
       - name: Extract image metadata
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.REGISTRY }}/${{ matrix.image }}
           tags: |
@@ -105,7 +105,7 @@ jobs:
 
       - name: Build and push
         id: build-push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           file: ${{ matrix.dockerfile }}
@@ -141,7 +141,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ matrix.image }}:${{ github.sha }}
           format: 'sarif'
@@ -149,7 +149,7 @@ jobs:
           severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1 # main
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: 'trivy-results.sarif'
         if: always()
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 96caca6b..db6a754a 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -14,13 +14,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Install gitleaks
         run: |
-          curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz | tar xz
+          GITLEAKS_VERSION=8.30.1
+          GITLEAKS_SHA256=551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb
+          curl -sSfL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          echo "${GITLEAKS_SHA256}  gitleaks.tar.gz" | sha256sum -c -
+          tar xzf gitleaks.tar.gz gitleaks
           sudo mv gitleaks /usr/local/bin/
 
       - name: Run gitleaks on PR diff
diff --git a/.github/workflows/helm-template-smoke.yml b/.github/workflows/helm-template-smoke.yml
index 9320e05a..9c27bc5f 100644
--- a/.github/workflows/helm-template-smoke.yml
+++ b/.github/workflows/helm-template-smoke.yml
@@ -21,10 +21,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.20.1   # match obolup.sh pinned version
 
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
index 3c5ee256..01ed8d71 100644
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -12,17 +12,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.12.0
 
       - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.12"
 
@@ -32,9 +32,9 @@ jobs:
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
-          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          changed=$(ct list-changed --target-branch "${{ github.event.repository.default_branch }}")
           if [[ -n "$changed" ]]; then
-            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Run chart-testing (lint)
@@ -52,15 +52,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: 'go.mod'
 
       - name: Set up just
-        uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.2
+        uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 # v4.0.0
 
       - name: Regenerate CRDs + DeepCopy
         run: just generate
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 78bcff66..ac44b4b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,12 +74,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: 'go.mod'
 
@@ -107,10 +107,12 @@ jobs:
             GIT_DIRTY="false"
           fi
 
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "git_commit=$GIT_COMMIT" >> $GITHUB_OUTPUT
-          echo "build_time=$BUILD_TIME" >> $GITHUB_OUTPUT
-          echo "git_dirty=$GIT_DIRTY" >> $GITHUB_OUTPUT
+          {
+            echo "version=$VERSION"
+            echo "git_commit=$GIT_COMMIT"
+            echo "build_time=$BUILD_TIME"
+            echo "git_dirty=$GIT_DIRTY"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Build binary
         env:
@@ -132,7 +134,7 @@ jobs:
           chmod +x "$OUTPUT"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: obol_${{ matrix.goos }}_${{ matrix.goarch }}
           path: obol_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -145,10 +147,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Download all artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: artifacts
           merge-multiple: true
@@ -157,9 +159,9 @@ jobs:
         id: tag
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
+            echo "tag=${{ github.event.inputs.tag }}" >> "$GITHUB_OUTPUT"
           else
-            echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+            echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Generate checksums
@@ -169,7 +171,7 @@ jobs:
           cat SHA256SUMS
 
       - name: Create Release
-        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           tag_name: ${{ steps.tag.outputs.tag }}
           name: Release ${{ steps.tag.outputs.tag }}
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index a7e0d310..2e0a2a30 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -25,10 +25,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run Renovate
-        uses: renovatebot/github-action@79dc0ba74dc3de28db0a7aeb1d0b95d5bf5fde2a # v46.1.13
+        uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 # v46.1.14
         env:
           LOG_LEVEL: debug
           RENOVATE_DRY_RUN: ${{ github.event.inputs.dry_run == 'true' && 'full' || '' }}