diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d98d32ff..a06db603 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # The version script relies on history. Fetch 100 commits to be safe.
           fetch-depth: 100
@@ -37,10 +37,10 @@ jobs:
       # which comes with BuildKit. It has cache features which can speed up
       # the builds. See https://github.com/docker/build-push-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -74,7 +74,7 @@ jobs:
       # If configured by the cache_config step, also cache the layers in
       # GitHub Actions.
       - name: Build image for linting and testing
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
@@ -92,7 +92,7 @@ jobs:
       # Make the image available as an artifact so other jobs will be able to
       # download it.
       - name: Upload image archive as an artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ env.artifact }}
           path: ${{ env.artifact }}.tar
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index d8ad66b8..0542fd1a 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Download image artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.artifact }}
 
@@ -27,17 +27,17 @@ jobs:
         run: docker load -i ${{ inputs.artifact }}.tar
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN  }}
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # The version script relies on history. Fetch 100 commits to be safe.
           fetch-depth: 100
@@ -45,7 +45,7 @@ jobs:
       # Build the final production image and push it to GHCR.
       # Tag it with both the short commit SHA and 'latest'.
       - name: Build final image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
@@ -61,9 +61,7 @@ jobs:
 
       # Deploy to Kubernetes.
       - name: Install kubectl
-        uses: azure/setup-kubectl@v3.0
-        with:
-          version: "latest"
+        uses: azure/setup-kubectl@v3
 
       - name: Authenticate with Kubernetes
         uses: azure/k8s-set-context@v3
@@ -79,7 +77,7 @@ jobs:
 
       # Push the base image to GHCR, with an inline cache manifest.
       - name: Push base image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
@@ -93,7 +91,7 @@ jobs:
 
       # Push the venv image to GHCR, with an inline cache manifest.
       - name: Push venv image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 79856bad..e2a3173a 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -11,11 +11,11 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python
         id: python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.11"
           cache: pip
@@ -25,7 +25,7 @@ jobs:
         run: pip install -U -r requirements/lint.pip
 
       - name: Pre-commit environment cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ env.PRE_COMMIT_HOME }}
           key: "precommit-0-${{ runner.os }}-${{ env.PRE_COMMIT_HOME }}-\
diff --git a/.github/workflows/sentry_release.yaml b/.github/workflows/sentry_release.yaml
index 9b4109ed..1a1db1b2 100644
--- a/.github/workflows/sentry_release.yaml
+++ b/.github/workflows/sentry_release.yaml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # The version script relies on history. Fetch 100 commits to be safe.
           fetch-depth: 100
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 6f89d87e..3da7e7a2 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Download image artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.artifact }}
 
@@ -27,7 +27,7 @@ jobs:
 
       # Needed for the Docker Compose file.
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Memory limit tests would fail if this isn't disabled.
       - name: Disable swap memory
@@ -47,9 +47,9 @@ jobs:
 
       # Upload it so the coverage from all matrix jobs can be combined later.
       - name: Upload coverage data
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: coverage
+          name: coverage-${{ matrix.os }}
           path: .coverage.*
           retention-days: 1
 
@@ -60,10 +60,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.11"
           cache: pip
@@ -73,9 +73,10 @@ jobs:
         run: pip install -U -r requirements/coverage.pip
 
       - name: Download coverage data
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: coverage
+          pattern: coverage-*
+          merge-multiple: true
 
       - name: Combine coverage data
         run: coverage combine .coverage.*
@@ -89,10 +90,10 @@ jobs:
       # Comment on the PR with the coverage results and register a GitHub check
       # which links to the coveralls.io job.
       - name: Publish coverage report to coveralls.io
-        uses: coverallsapp/github-action@1.1.3
+        uses: coverallsapp/github-action@v2.2.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          path-to-lcov: ./coverage.lcov
+          format: lcov
 
   dry-run-deploy:
     name: Dry run deployment.yaml init container
@@ -100,7 +101,7 @@ jobs:
     needs: test
     steps:
       - name: Download image artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.artifact }}
 
@@ -109,7 +110,7 @@ jobs:
 
       # Needed for the Docker Compose file.
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Install eval deps the same way as init container from deployment.yaml
       # This is to ensure that deployment won't fail at that step