diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index c0f9e78..567ef3a 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -151,7 +151,7 @@ jobs:
           tags: localimage:${{ github.sha }}
       - name: Generate artifact attestation
         if: inputs.push
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-name: ${{ inputs.registry }}/${{ inputs.image }}
           subject-digest: ${{ steps.build.outputs.digest }}
diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml
index 7c23429..8ce98e4 100644
--- a/.github/workflows/infra-security-scan.yml
+++ b/.github/workflows/infra-security-scan.yml
@@ -52,7 +52,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Kics Scan
-        uses: Checkmarx/kics-github-action@6b6fc1162a0f06704e4cca6e5f8e008ab20fabe5 # v2.1.16
+        uses: Checkmarx/kics-github-action@63fca4ca72e56edbb5a599ee756e6af1fdb1e785 # v2.1.18
         with:
           path: ${{ inputs.working-directory }}
           output_path: ${{ inputs.working-directory }}/kics_results.sarif
diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml
index 2c79e3f..c424c61 100644
--- a/.github/workflows/pulumi-preview.yml
+++ b/.github/workflows/pulumi-preview.yml
@@ -56,6 +56,7 @@ jobs:
           disable-sudo-and-containers: ${{ inputs.disable-sudo }}
           egress-policy: block
           allowed-endpoints: >
+            *.amazonaws.com:443
             api.github.com:443
             api.pulumi.com:443
             files.pythonhosted.org:443
@@ -64,7 +65,6 @@ jobs:
             objects.githubusercontent.com:443
             pypi.org:443
             release-assets.githubusercontent.com:443
-            *.amazonaws.com:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml
index eba5205..0544567 100644
--- a/.github/workflows/pulumi-up.yml
+++ b/.github/workflows/pulumi-up.yml
@@ -55,6 +55,7 @@ jobs:
           disable-sudo-and-containers: ${{ inputs.disable-sudo }}
           egress-policy: block
           allowed-endpoints: >
+            *.amazonaws.com:443
             api.github.com:443
             api.pulumi.com:443
             files.pythonhosted.org:443
@@ -63,7 +64,6 @@ jobs:
             objects.githubusercontent.com:443
             pypi.org:443
             release-assets.githubusercontent.com:443
-            *.amazonaws.com:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: