diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 03e61e7..5663e34 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -32,7 +32,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up just
-        uses: cerbos/actions/install-tools@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/install-tools@e0522b0533b6679733f18d606638b0d91ffcf39d # main
         with:
           tools: just
 
@@ -65,7 +65,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Set up just
-        uses: cerbos/actions/install-tools@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/install-tools@e0522b0533b6679733f18d606638b0d91ffcf39d # main
         with:
           tools: just
 
@@ -73,10 +73,10 @@ jobs:
         run: just lint-modernize
 
       - name: golangci-lint
-        uses: cerbos/actions/golangci-lint@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/golangci-lint@e0522b0533b6679733f18d606638b0d91ffcf39d # main
 
       - name: Check repo status
-        uses: cerbos/actions/check-repo-status@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/check-repo-status@e0522b0533b6679733f18d606638b0d91ffcf39d # main
 
   buf:
     name: Proto check
@@ -90,4 +90,4 @@ jobs:
           persist-credentials: false
 
       - name: Lint protos
-        uses: cerbos/actions/buf@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/buf@e0522b0533b6679733f18d606638b0d91ffcf39d # main
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 3e09333..5bc7ecf 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -21,6 +21,6 @@ jobs:
           persist-credentials: false
 
       - name: Push to BSR
-        uses: cerbos/actions/buf@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/buf@e0522b0533b6679733f18d606638b0d91ffcf39d # main
         with:
           token: ${{ secrets.BUF_TOKEN }}
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index 3cd0cc5..ae29957 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -27,4 +27,4 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: cerbos/actions/lint-actions@b65bfbd7621d9a89a06901a7daaed0cfc72eb690 # main
+        uses: cerbos/actions/lint-actions@e0522b0533b6679733f18d606638b0d91ffcf39d # main
diff --git a/test/testserver/testserver.go b/test/testserver/testserver.go
index 0c9d48a..a6f6e79 100644
--- a/test/testserver/testserver.go
+++ b/test/testserver/testserver.go
@@ -118,11 +118,13 @@ func newHub(t *testing.T, server *httptest.Server, creds *credentials.Credential
 	return h
 }
 
+const expectedAuthToken = "access-token"
+
 type authCheck struct{}
 
 func (ac authCheck) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
 	return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
-		if req.Header().Get(base.AuthTokenHeader) != "access-token" {
+		if req.Header().Get(base.AuthTokenHeader) != expectedAuthToken {
 			return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("invalid or missing access token"))
 		}
 		return next(ctx, req)
@@ -135,7 +137,7 @@ func (ac authCheck) WrapStreamingClient(next connect.StreamingClientFunc) connec
 
 func (ac authCheck) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {
 	return connect.StreamingHandlerFunc(func(ctx context.Context, conn connect.StreamingHandlerConn) error {
-		if conn.RequestHeader().Get(base.AuthTokenHeader) != "access-token" {
+		if conn.RequestHeader().Get(base.AuthTokenHeader) != expectedAuthToken {
 			return connect.NewError(connect.CodeUnauthenticated, errors.New("invalid or missing access token"))
 		}
 
@@ -149,7 +151,7 @@ func ExpectAPIKeySuccess(t *testing.T, mockAPIKeySvc *mockapikeyv1connect.ApiKey
 	mockAPIKeySvc.EXPECT().
 		IssueAccessToken(mock.Anything, mock.MatchedBy(issueAccessTokenRequest())).
 		Return(connect.NewResponse(&apikeyv1.IssueAccessTokenResponse{
-			AccessToken: "access-token",
+			AccessToken: expectedAuthToken,
 			ExpiresIn:   durationpb.New(1 * time.Minute),
 		}), nil)
 }
diff --git a/tools/go.mod b/tools/go.mod
index 780dc5b..698d6f9 100644
--- a/tools/go.mod
+++ b/tools/go.mod
@@ -6,7 +6,7 @@ toolchain go1.26.2
 
 require (
 	connectrpc.com/connect v1.19.2
-	github.com/cerbos/actions v0.0.0-20260505190950-b65bfbd7621d
+	github.com/cerbos/actions v0.0.0-20260515102558-e0522b0533b6
 	github.com/cerbos/protoc-gen-go-hashpb v0.5.0
 	github.com/planetscale/vtprotobuf v0.6.1-0.20250313105119-ba97887b0a25
 	github.com/vektra/mockery/v3 v3.7.0
@@ -56,7 +56,7 @@ require (
 	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
 	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/tools/go.sum b/tools/go.sum
index b233266..a4fb046 100644
--- a/tools/go.sum
+++ b/tools/go.sum
@@ -4,8 +4,8 @@ github.com/bitfield/gotestdox v0.2.2 h1:x6RcPAbBbErKLnapz1QeAlf3ospg8efBsedU93CD
 github.com/bitfield/gotestdox v0.2.2/go.mod h1:D+gwtS0urjBrzguAkTM2wodsTQYFHdpx8eqRJ3N+9pY=
 github.com/brunoga/deep v1.3.1 h1:bSrL6FhAZa6JlVv4vsi7Hg8SLwroDb1kgDERRVipBCo=
 github.com/brunoga/deep v1.3.1/go.mod h1:GDV6dnXqn80ezsLSZ5Wlv1PdKAWAO4L5PnKYtv2dgaI=
-github.com/cerbos/actions v0.0.0-20260505190950-b65bfbd7621d h1:a7NijPLthdw2f3DIIY5Wl+ROH9GnJXvOIamfX7a1ZUI=
-github.com/cerbos/actions v0.0.0-20260505190950-b65bfbd7621d/go.mod h1:Oez+ZLwg55HZZmPRFCfE54aNL8/zGNl8LJa3KHk4QAY=
+github.com/cerbos/actions v0.0.0-20260515102558-e0522b0533b6 h1:wCwPJflxb7n25PTiBVRZA00ucbpysPjlW++BCMJdzf0=
+github.com/cerbos/actions v0.0.0-20260515102558-e0522b0533b6/go.mod h1:eExHaISF7LBw4Q0GkGL5Xj8ac6l7V7m910yRnj2Mx4c=
 github.com/cerbos/protoc-gen-go-hashpb v0.5.0 h1:eRxAGfPtAPIwuEu/5TwUM//iE2DLxPRv6MYcKTk+Vqg=
 github.com/cerbos/protoc-gen-go-hashpb v0.5.0/go.mod h1:2xx4aHivI/LQZA2iusGwPwsg/EOKxRX59BZZbojy2OM=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -149,8 +149,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=