diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 7fc5b10..cad7fe4 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,10 +1,16 @@
 {
-  "name": "Alpine",
-  "image": "mcr.microsoft.com/devcontainers/base:alpine-3.21",
+  "name": "ci-github-common",
+  "image": "mcr.microsoft.com/devcontainers/base:debian",
   "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
-    "ghcr.io/devcontainers/features/github-cli:1": {},
-    "ghcr.io/devcontainers-extra/features/act:1": {}
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "moby": false
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "extensions": "nektos/gh-act"
+    }
+  },
+  "remoteEnv": {
+    "GITHUB_TOKEN": "${localEnv:GITHUB_TOKEN}"
   },
   "customizations": {
     "vscode": {
@@ -15,7 +21,10 @@
         "github.copilot-chat",
         "ms-vscode.makefile-tools",
         "esbenp.prettier-vscode"
-      ]
+      ],
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "zsh"
+      }
     }
   }
 }
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 61e7a9c..1f1661c 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -129,11 +129,11 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           languages: ${{ matrix.language }}
 
-      - uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:${{matrix.language}}"
 
@@ -151,7 +151,7 @@ jobs:
           persist-credentials: false
 
       - id: changed-files
-        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
         if: ${{ inputs.lint-all == false }}
         with:
           files: |
diff --git a/Makefile b/Makefile
index ee5a0f6..5d53668 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,26 @@ lint-fix: ## Execute linting and fix
 		-e FIX_SHELL_SHFMT=true \
 	)
 
+npm-audit-fix: ## Execute npm audit fix
+	@set -uo pipefail; \
+	overall_status=0; \
+	packages="$$(find actions -type f -name package.json -not -path '*/node_modules/*' -print | sort)"; \
+	echo "Running npm audit fix for package.json files under actions/ ..."; \
+	for pkg in $$packages; do \
+		pkg_dir="$$(dirname "$$pkg")"; \
+		echo "---"; \
+		npm install --prefix "$$pkg_dir"; \
+		echo "npm audit fix in $$pkg_dir"; \
+		if ! npm --prefix "$$pkg_dir" audit fix; then \
+			overall_status=1; \
+		fi; \
+	done; \
+	exit $$overall_status
+
+ci: ## Execute CI tasks
+	$(MAKE) npm-audit-fix
+	$(MAKE) lint-fix
+
 define run_linter
 	DEFAULT_WORKSPACE="$(CURDIR)"; \
 	LINTER_IMAGE="linter:latest"; \
diff --git a/actions/get-matrix-outputs/action.yml b/actions/get-matrix-outputs/action.yml
index 46ed009..b7b74e2 100644
--- a/actions/get-matrix-outputs/action.yml
+++ b/actions/get-matrix-outputs/action.yml
@@ -41,7 +41,7 @@ runs:
           const artifactPath = path.join(process.env.RUNNER_TEMP, artifactName);
           core.setOutput('artifact-path', artifactPath);
 
-    - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         path: ${{ steps.prepare-download.outputs.artifact-path }}
         pattern: ${{ steps.prepare-download.outputs.artifact-name }}-*