diff --git a/.github/workflows/check-release-notes.yml b/.github/workflows/check-release-notes.yml
index 0f3924ad..29ff11b5 100644
--- a/.github/workflows/check-release-notes.yml
+++ b/.github/workflows/check-release-notes.yml
@@ -86,7 +86,7 @@ jobs:
 
       - name: Resolve comment
         if: ${{ env.MISSING_CHANGELOG_ENTRY == '0' && steps.fc.outputs.comment-id != '' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           script: |
             query = `mutation minimizeComment {
@@ -104,7 +104,7 @@ jobs:
 
       - name: Unresolve comment
         if: ${{ env.MISSING_CHANGELOG_ENTRY == '1' && steps.fc.outputs.comment-id != '' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           script: |
             query = `mutation unminimizeComment {
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d6d0566f..6bfe52b0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -104,7 +104,7 @@ jobs:
       # Upload coverage reports to Codecov
 
       - name: Upload coverage to codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         env:
           OS: "${{ matrix.os }}"
           PYTHON: "${{ matrix.python-version }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index de171ddd..a17ee29a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -43,7 +43,7 @@ jobs:
           requirements: tox
       - name: Build source (sdist) and binary (wheel) distributions
         run: tox -e build-dists
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: python-package-distributions
           path: dist/
@@ -61,7 +61,7 @@ jobs:
     permissions:
       id-token: write  # IMPORTANT: mandatory for trusted publishing
     steps:
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v8
         with:
           name: python-package-distributions
           path: dist/
@@ -84,7 +84,7 @@ jobs:
     permissions:
       id-token: write  # IMPORTANT: mandatory for trusted publishing
     steps:
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v8
         with:
           name: python-package-distributions
           path: dist/
@@ -119,12 +119,12 @@ jobs:
 
       # Sign the package distributions with Sigstore
       # https://github.com/marketplace/actions/gh-action-sigstore-python
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v8
         with:
           name: python-package-distributions
           path: dist/
       - name: Sign the dists with Sigstore
-        uses: sigstore/gh-action-sigstore-python@v3.2.0
+        uses: sigstore/gh-action-sigstore-python@v3.3.0
         with:
           inputs: >-
             ./dist/*.tar.gz
diff --git a/docs/reference/changelog.md b/docs/reference/changelog.md
index 5211e960..e7bf832f 100644
--- a/docs/reference/changelog.md
+++ b/docs/reference/changelog.md
@@ -7,6 +7,11 @@ Unreleased changes
 
 ### CI/CD
 
+- Bump actions/download-artifact from 7 to 8 ({gh-pr}`368`)
+- Bump actions/upload-artifact from 6 to 7 ({gh-pr}`369`)
+- Bump sigstore/gh-action-sigstore-python from 3.2.0 to 3.3.0 ({gh-pr}`370`)
+- Bump codecov/codecov-action from 5 to 6 ({gh-pr}`371`)
+- Bump actions/github-script from 8 to 9 ({gh-pr}`373`)
 - pre-commit autoupdate ({gh-pr}`374`)
 
 ---