diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..1a218f5e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # See documentation for possible values
+    directory: ".github/workflows" # Location of package manifests
+    schedule:
+      interval: "monthly"
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/merge-main-to-develop.yml b/.github/workflows/merge-main-to-develop.yml
index 66820363..5fde77c1 100644
--- a/.github/workflows/merge-main-to-develop.yml
+++ b/.github/workflows/merge-main-to-develop.yml
@@ -6,18 +6,18 @@ on:
 
 jobs:
   merge-main-to-develop:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
       - run: .github/scripts/merge-main-to-develop.sh
   tag-latest:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     needs: merge-main-to-develop
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
       - run: .github/scripts/tag-latest.sh
-      
\ No newline at end of file
+      
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 45386086..8cf2eea0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,11 +16,11 @@ on:
 
 jobs:
   tag_or_release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     name: tag or release the given branch with the given name
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
       - name: release
@@ -30,4 +30,4 @@ jobs:
           tag_or_release: "${{ github.event.inputs.tag_or_release }}"
           name: "${{ github.event.inputs.name }}"
           source_branch: "${{ github.event.inputs.source_branch }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
+          token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/tag-latest.yml b/.github/workflows/tag-latest.yml
index dcfe6e9f..eff899de 100644
--- a/.github/workflows/tag-latest.yml
+++ b/.github/workflows/tag-latest.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   update-latest-tag:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2
-      - run: .github/scripts/tag-latest.sh
\ No newline at end of file
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - run: .github/scripts/tag-latest.sh
diff --git a/.github/workflows/tag-stable.yml b/.github/workflows/tag-stable.yml
index 55bcc3e8..29a95c61 100644
--- a/.github/workflows/tag-stable.yml
+++ b/.github/workflows/tag-stable.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   update-stable-tag:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2
-      - run: .github/scripts/tag-stable.sh
\ No newline at end of file
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - run: .github/scripts/tag-stable.sh