diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml
index f95548bd1..b4261a06d 100644
--- a/.github/workflows/go-tests.yaml
+++ b/.github/workflows/go-tests.yaml
@@ -19,7 +19,7 @@ jobs:
       contents: read
 
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e9f5565fc..7a97ec34d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,7 +15,7 @@ jobs:
     if: ${{ github.repository }} == 'chainguard-dev/bincapz'
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml
index ee11526e4..620ef32f0 100644
--- a/.github/workflows/version.yaml
+++ b/.github/workflows/version.yaml
@@ -21,7 +21,7 @@ jobs:
     if: ${{ github.repository }} == 'chainguard-dev/bincapz'
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: audit 
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332