diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 633a5ce6..ff74d1c3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           submodules: true
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Find the Go Build Cache
@@ -74,7 +74,7 @@ jobs:
         with:
           submodules: true
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Install goimports
@@ -110,7 +110,7 @@ jobs:
       - name: Fetch History
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Find the Go Build Cache
@@ -133,7 +133,7 @@ jobs:
       - name: Run Unit Tests
         run: make -j2 test
       - name: Publish Unit Test Coverage
-        uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v1
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v1
         with:
           flags: unittests
           file: _output/tests/linux_amd64/coverage.txt
@@ -149,7 +149,7 @@ jobs:
       - name: Fetch History
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Find the Go Build Cache
diff --git a/cluster/images/provider-upjet-github/Dockerfile b/cluster/images/provider-upjet-github/Dockerfile
index 0b66de44..ebee07de 100644
--- a/cluster/images/provider-upjet-github/Dockerfile
+++ b/cluster/images/provider-upjet-github/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19.1
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates bash
 
 ARG TARGETOS
diff --git a/go.mod b/go.mod
index de64b1ee..d31900c2 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/crossplane-contrib/provider-upjet-github
 
-go 1.23.0
+go 1.23.12
 
 require (
 	dario.cat/mergo v1.0.2
diff --git a/internal/clients/github.go b/internal/clients/github.go
index b5952dae..faea1292 100644
--- a/internal/clients/github.go
+++ b/internal/clients/github.go
@@ -65,11 +65,6 @@ type githubConfig struct {
 	RetryableErrors []int      `json:"retryable_errors,omitempty"`
 }
 
-type githubCredentialCache struct {
-	configName *terraform.Setup
-	cachedAt   time.Time
-}
-
 // setCredentialConfigs will add credential type fields (Owner, Token, AppAuth) to terraform providerConfiguration
 func setCredentialConfigs(creds githubConfig, cnf terraform.ProviderConfiguration) (terraform.ProviderConfiguration, error) {
 	if creds.Owner != nil {
@@ -144,12 +139,27 @@ func terraformProviderConfigurationBuilder(creds githubConfig) (terraform.Provid
 
 }
 
+// The terraform provider currently doesn't refresh installation tokens automatically
+// Therefore, the terraform provider config needs to be refreshed at least every hour
+// Once this PR is merged to terraform provider, the cache expiry can be removed
+// https://github.com/integrations/terraform-provider-github/pull/2695
+
+type CachedTerraformSetup struct {
+	setup  *terraform.Setup
+	expiry time.Time
+}
+
+const (
+	tfSetupCacheTTL = time.Minute * 55
+)
+
 // TerraformSetupBuilder builds Terraform a terraform.SetupFn function which returns Terraform provider setup configuration
 //
 //gocyclo:ignore
 func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 	var tfSetupLock sync.RWMutex
-	tfSetups := make(map[string]*githubCredentialCache)
+	tfSetups := make(map[string]CachedTerraformSetup)
+
 
 	return func(ctx context.Context, client client.Client, mg resource.Managed) (terraform.Setup, error) {
 		ps := terraform.Setup{}
@@ -159,17 +169,13 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 			return ps, errors.New(errNoProviderConfig)
 		}
 
-		tokenValidDuration, err := time.ParseDuration("45m")
-		if err != nil {
-			return ps, err
-		}
-
 		tfSetupLock.Lock()
 		defer tfSetupLock.Unlock()
 
 		tfSetup, ok := tfSetups[configRef.Name]
-		if ok && time.Since(tfSetup.cachedAt) < tokenValidDuration {
-			return *tfSetup.configName, nil
+		if ok && tfSetup.expiry.After(time.Now()) {
+			return *tfSetup.setup, nil
+
 		}
 
 		pc := &v1beta1.ProviderConfig{}
@@ -204,7 +210,10 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 			return ps, errors.Wrap(err, "failed to configure the Terraform Github provider meta")
 		}
 
-		tfSetups[configRef.Name] = &githubCredentialCache{&ps, time.Now()}
+		tfSetups[configRef.Name] = CachedTerraformSetup{
+			setup:  &ps,
+			expiry: time.Now().Add(tfSetupCacheTTL),
+		}
 
 		return ps, nil