diff --git a/.github/workflows/closed_references.yml b/.github/workflows/closed_references.yml
index ebafc8a..dfaf7bb 100644
--- a/.github/workflows/closed_references.yml
+++ b/.github/workflows/closed_references.yml
@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     name: Find closed references
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2-beta
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: '14'
+          node-version: '20'
       - uses: ory/closed-reference-notifier@v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/docker-build-push.yaml b/.github/workflows/docker-build-push.yml
similarity index 81%
rename from .github/workflows/docker-build-push.yaml
rename to .github/workflows/docker-build-push.yml
index a9ffb1a..972ab83 100644
--- a/.github/workflows/docker-build-push.yaml
+++ b/.github/workflows/docker-build-push.yml
@@ -13,10 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
         with:
           # list of Docker images to use as base name for tags
           images: |
@@ -29,22 +30,25 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha
+
       - name: Build and Scan
         uses: ./.github/actions/build-and-scan
         with:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1 
+        uses: docker/login-action@v3
         with:
           username: arekkas
-          password: ${{ secrets.DOCKER_SECRET_AREKKAS }}    
+          password: ${{ secrets.DOCKER_SECRET_AREKKAS }}
+
       - name: Push
         if: github.event_name != 'pull_request'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: ./docker
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
\ No newline at end of file
diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml
new file mode 100644
index 0000000..7d1c726
--- /dev/null
+++ b/.github/workflows/gha-lint.yml
@@ -0,0 +1,27 @@
+name: Validation - GHA Linter
+on:
+  merge_group:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - master
+
+jobs:
+  validate:
+    name: Validate GHA
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          base: master
+          filters: |
+            workflows:
+              - '.github/**'
+      - name: actionlint
+        if: ${{ steps.filter.outputs.workflows == 'true' }}
+        uses: raven-actions/actionlint@v2
\ No newline at end of file
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index c470ddc..1a1ee57 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Synchronize Issue Labels
         uses: ory/label-sync-action@v0
         with:
diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml
index a4592c6..7374c6c 100644
--- a/.github/workflows/licenses.yml
+++ b/.github/workflows/licenses.yml
@@ -11,11 +11,11 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: "1.18"
-      - uses: actions/setup-node@v2
+          go-version: "1.23"
+      - uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "20"
       - run: make licenses
diff --git a/.github/workflows/periodic-scan.yaml b/.github/workflows/periodic-scan.yml
similarity index 100%
rename from .github/workflows/periodic-scan.yaml
rename to .github/workflows/periodic-scan.yml
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 7463e4e..98d1830 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,7 @@ jobs:
     if: github.repository_owner == 'ory'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v4
+      - uses: actions/stale@v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: |