diff --git a/.github/workflows/main-version-update.yml b/.github/workflows/main-version-update.yml
index 3c2b018..5cf3699 100644
--- a/.github/workflows/main-version-update.yml
+++ b/.github/workflows/main-version-update.yml
@@ -17,7 +17,7 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Git config
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1b94d95..bb7e052 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
       # ncc@0.28.6 uses legacy OpenSSL hashing; Node 20+ requires this flag
       NODE_OPTIONS: --openssl-legacy-provider
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - uses: actions/setup-node@v4
       with:
         node-version: 20
@@ -25,7 +25,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - uses: ./
       with:
         milliseconds: 1000
diff --git a/cache/action.yml b/cache/action.yml
index dbc3f5c..5ed5072 100644
--- a/cache/action.yml
+++ b/cache/action.yml
@@ -15,7 +15,7 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - uses: actions/cache@v4
+    - uses: actions/cache@v5
       with:
         path: ${{ inputs.DEPLOY_CACHE_PATH }}
         key: ${{ inputs.DEPLOY_CACHE_KEY }}
diff --git a/deploy/eks/action.yml b/deploy/eks/action.yml
index f9dee48..3893fbb 100644
--- a/deploy/eks/action.yml
+++ b/deploy/eks/action.yml
@@ -52,18 +52,18 @@ runs:
         fi
     - name: Configuring AWS credentials (IAM role)
       if: ${{ inputs.AWS_ROLE_ARN != '' }}
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v6
       with:
         role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
         aws-region: ${{ inputs.AWS_REGION }}
     - name: Configuring AWS credentials (static)
       if: ${{ inputs.AWS_ROLE_ARN == '' }}
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v6
       with:
         aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
         aws-region: ${{ inputs.AWS_REGION }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Cleaning workspace
       if: ${{ inputs.CLEAN_WORKSPACE == 'true' }}
       shell: bash
diff --git a/deploy/lambda/go/action.yml b/deploy/lambda/go/action.yml
index 94033c0..8b2364c 100644
--- a/deploy/lambda/go/action.yml
+++ b/deploy/lambda/go/action.yml
@@ -13,7 +13,7 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Cleaning workspace
       shell: bash
       run: shopt -s dotglob && rm -rf "${{ github.workspace }}"/*
diff --git a/go/configure/action.yml b/go/configure/action.yml
index c66b363..0c8594e 100644
--- a/go/configure/action.yml
+++ b/go/configure/action.yml
@@ -6,7 +6,7 @@ inputs:
     description: Flipp circleci repo token
     required: true
   BUF_BUILD_USER:
-    description: Buf CI user stored as secret
+    description: Buf CI user stored as secret. Deprecated - no longer used by buf-action, kept for backward compatibility.
     required: false
   BUF_BUILD_API_TOKEN:
     description: Buf API token stored as secret
@@ -20,7 +20,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         fetch-depth: ${{ inputs.FETCH_DEPTH }}
     - name: Setting up private modules access
@@ -32,18 +32,18 @@ runs:
         BUF_VERSION=$(awk '/^buf[[:space:]]+/ {print $2}' .tool-versions)
         echo "BUF_VERSION=${BUF_VERSION}" >> $GITHUB_ENV
       shell: bash
-    - name: Setting up buf if version is provided
-      uses: bufbuild/buf-setup-action@v1
+    - name: Setting up buf with pinned version
+      uses: bufbuild/buf-action@v1
       if: "${{ inputs.BUF_BUILD_API_TOKEN != '' && env.BUF_VERSION != '' }}"
       with:
+        setup_only: true
         github_token: ${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }}
-        buf_user: ${{ inputs.BUF_BUILD_USER }}
-        buf_api_token: ${{ inputs.BUF_BUILD_API_TOKEN }}
+        token: ${{ inputs.BUF_BUILD_API_TOKEN }}
         version: ${{ env.BUF_VERSION }}
-    - name: Setting up buf if version is not provided
-      uses: bufbuild/buf-setup-action@v1
+    - name: Setting up buf with default version
+      uses: bufbuild/buf-action@v1
       if: "${{ inputs.BUF_BUILD_API_TOKEN != '' && env.BUF_VERSION == '' }}"
       with:
+        setup_only: true
         github_token: ${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }}
-        buf_user: ${{ inputs.BUF_BUILD_USER }}
-        buf_api_token: ${{ inputs.BUF_BUILD_API_TOKEN }}
+        token: ${{ inputs.BUF_BUILD_API_TOKEN }}
diff --git a/go/deps/action.yml b/go/deps/action.yml
index 10f9d61..c37d2ea 100644
--- a/go/deps/action.yml
+++ b/go/deps/action.yml
@@ -23,7 +23,7 @@ runs:
   steps:
     - name: Restoring vendor modules from cache
       id: vendor-cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: vendor
         key: vendor-cache-${{ hashFiles('go.mod','go.sum') }}
diff --git a/go/lint/action.yml b/go/lint/action.yml
index a607567..2b3aac6 100644
--- a/go/lint/action.yml
+++ b/go/lint/action.yml
@@ -89,7 +89,7 @@ runs:
         version: ${{ env.GOLANGCI_LINT_VERSION }} # Optional - if blank, will use the action's default version resolution
     - name: Run v2 Go linter
       if: ${{ env.IS_V2 == 'true' }}
-      uses: golangci/golangci-lint-action@v7 # Note: v7 and up require golangci-lint v2 config
+      uses: golangci/golangci-lint-action@v9 # Note: v7/v9 and up require golangci-lint v2 config. v9 runs on Node.js 24.
       with:
         skip-cache: true
         args: --verbose
diff --git a/go/smoke-test/action.yml b/go/smoke-test/action.yml
index fe35af0..9be047b 100644
--- a/go/smoke-test/action.yml
+++ b/go/smoke-test/action.yml
@@ -44,11 +44,11 @@ runs:
       shell: bash
     - name: Run DataDog Synthetics
       if: inputs.DD_SYNTHETIC_IDS != ''
-      uses: DataDog/synthetics-ci-github-action@v1.17.0
+      uses: DataDog/synthetics-ci-github-action@v4.0.0
       with:
-        api_key: ${{ inputs.DD_API_KEY }}
-        app_key: ${{ inputs.DD_APP_KEY }}
-        public_ids: ${{ inputs.DD_SYNTHETIC_IDS }}
+        api-key: ${{ inputs.DD_API_KEY }}
+        app-key: ${{ inputs.DD_APP_KEY }}
+        public-ids: ${{ inputs.DD_SYNTHETIC_IDS }}
     - name: Write smoke test summary
       if: always()
       shell: bash
diff --git a/go/test/action.yml b/go/test/action.yml
index 2a5dd3c..d076c06 100644
--- a/go/test/action.yml
+++ b/go/test/action.yml
@@ -51,13 +51,13 @@ runs:
           echo "> **Warning:** No test report found" >> $GITHUB_STEP_SUMMARY
         fi
     - name: Uploading test report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: "${{ github.sha }}-test-report.out"
         path: "./test-report.out"
         retention-days: ${{ inputs.ARTIFACT_RETENTION_DAYS }}
     - name: Uploading coverage report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: "${{ github.sha }}-coverage.out"
         path: "./coverage.out"
diff --git a/ruby/deps/action.yml b/ruby/deps/action.yml
index 86afc02..8e90f35 100644
--- a/ruby/deps/action.yml
+++ b/ruby/deps/action.yml
@@ -11,7 +11,7 @@ runs:
   steps:
     - name: Bundle cache
       id: bundle-cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: vendor/bundle
         key: rails-${{ hashFiles('Gemfile.lock') }}
diff --git a/ruby/lint/action.yml b/ruby/lint/action.yml
index df58de1..be3966f 100644
--- a/ruby/lint/action.yml
+++ b/ruby/lint/action.yml
@@ -18,7 +18,7 @@ runs:
       env: 
         BUNDLE_DEPLOYMENT: true
     - name: 'Upload rubocop results'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: "${{ github.sha }}-lint-results.out"
         path: ./rubocop/rubocop.json
diff --git a/ruby/one-for-all/action.yml b/ruby/one-for-all/action.yml
index 6a22e7c..e769735 100644
--- a/ruby/one-for-all/action.yml
+++ b/ruby/one-for-all/action.yml
@@ -5,7 +5,7 @@ runs:
   using: "composite"
   steps: 
     - name: Download test result
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v7
       with:
         name: ${{ github.sha }}-test-report.out
         path: ./result/
diff --git a/ruby/test/action.yml b/ruby/test/action.yml
index 945df0d..c203010 100644
--- a/ruby/test/action.yml
+++ b/ruby/test/action.yml
@@ -63,13 +63,13 @@ runs:
       run: |
         sed -i 's@${{ env.ROOT_PATH }}''@/github/workspace/@g' coverage.json
     - name: 'Upload coverage'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: ${{ github.sha }}-coverage.out
         path: ./coverage/coverage.json
         retention-days: ${{ inputs.ARTIFACT_RETENTION_DAYS }}
     - name: 'Upload test results'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: ${{ github.sha }}-test-report.out
         path: ./result/rspec.xml