diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
index 1bfbc5b..7e586f8 100644
--- a/.github/workflows/integration-test.yml
+++ b/.github/workflows/integration-test.yml
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.3
       - name: Setup python and environment
         uses: ./.github/actions/setup-env
         with:
@@ -53,11 +53,14 @@ jobs:
           - ubuntu-24.04
         python-version: ["3.10", "3.11"]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      id-token: write
     env:
       OS: ${{ matrix.os }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.3
       - name: Setup python and environment
         uses: ./.github/actions/setup-env
         with:
@@ -74,8 +77,11 @@ jobs:
         if: (matrix.os == 'ubuntu-24.04') && (matrix.python-version == env.TARGET_PYTHON_VERSION)
         run: uv run pytest --cov=deepprofiler --cov-report=xml ${{ github.event.inputs.pytest_addopts }}
       - name: Upload coverage to Codecov
-        if: (matrix.os == 'ubuntu-24.04') && (matrix.python-version == env.TARGET_PYTHON_VERSION)
-        uses: codecov/codecov-action@v4
+        if: >
+          (matrix.os == 'ubuntu-24.04') &&
+          (matrix.python-version == env.TARGET_PYTHON_VERSION) &&
+          !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
+        uses: codecov/codecov-action@v7
         env:
           OS: ${{ matrix.os }}
           PYTHON: ${{ matrix.python-version }}
@@ -85,8 +91,7 @@ jobs:
           fail_ci_if_error: true
           flags: unittests
           name: deepprofiler
-          # See https://docs.codecov.com/docs/adding-the-codecov-token
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true
       - name: Run pytest
         if: (matrix.os != 'ubuntu-24.04') || (matrix.python-version != env.TARGET_PYTHON_VERSION)
         run: uv run pytest ${{ github.event.inputs.pytest_addopts }}
@@ -97,7 +102,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.3
       - name: Setup python and environment
         uses: ./.github/actions/setup-env
         with:
@@ -118,7 +123,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.3
         with:
           fetch-depth: 0
       - name: Setup python and environment
@@ -132,14 +137,14 @@ jobs:
       - name: Build
         run: uv build
       - name: Upload wheel artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: wheel
           path: dist/*.whl
           if-no-files-found: error
           retention-days: 90
       - name: Upload sdist artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: sdist
           path: dist/*.tar.gz
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5f8226b..ed04f55 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,13 +12,13 @@ jobs:
     permissions:
       id-token: write  # required for trusted publishing
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6.0.3
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"