diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 64de2fd49c9..9f3f5aed38f 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -6,24 +6,24 @@ on:
     branches: [ "6" ]
     tags: [ "*" ]
 
+permissions: {}
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: read
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions: {}
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Generate changelog
-        uses: docker://toolhippie/calens:0.4.0
+        uses: actionhippie/calens@244f3e5c328b842a740113859b87bbebf697f63b # v1.13.1
         with:
-          entrypoint: /bin/sh
-          args: -c "calens > CHANGELOG.md"
+          target: CHANGELOG.md
 
       - name: Show diff
         run: git diff
@@ -31,19 +31,22 @@ jobs:
       - name: Output
         run: cat CHANGELOG.md
 
-      - name: Publish
-        if: >
-          github.event_name == 'push' &&
-          github.ref == 'refs/heads/master' &&
-          !startsWith(github.ref, 'refs/tags/') &&
-          !startsWith(github.ref, 'refs/pull/')
-        run: |
-          git config user.name "ownClouders"
-          git config user.email "devops@owncloud.com"
-          git add CHANGELOG.md
-          if git diff --staged --quiet; then
-            echo "No changes to commit"
-            exit 0
-          fi
-          git commit -m "Automated changelog update [skip ci]"
-          git push origin master
+      - name: Generate GitHub App token
+        id: app-token
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
+        with:
+          app-id: ${{ secrets.TRANSLATION_APP_ID }}
+          private-key: ${{ secrets.TRANSLATION_APP_PRIVATE_KEY }}
+
+      - name: Create or update changelog pull request
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          branch: chore/changelog-update
+          commit-message: "chore: update changelog"
+          title: "chore: update changelog"
+          body: "Automated changelog update. This pull request is updated on each push to master — merging it will close it and a fresh one will be opened on the next change."
+          delete-branch: true
+          sign-commits: true
diff --git a/.github/workflows/gui-tests.yml b/.github/workflows/gui-tests.yml
index 4ada43fcc77..0cb43e8575e 100644
--- a/.github/workflows/gui-tests.yml
+++ b/.github/workflows/gui-tests.yml
@@ -21,10 +21,10 @@ jobs:
       image: owncloudci/squish:fedora-42-8.1.0-qt68x-linux64
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup NodeJs
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 18
 
@@ -83,7 +83,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Build client
         run: |
@@ -158,22 +158,3 @@ jobs:
           REPORT_DIR: /__w/client/client/test/gui/guiReportUpload
           SERVER_TYPE: ocis
         run: bash test/gui/ci/log_reports.sh ${REPORT_DIR} ${GITHUB_REPO} ${GITHUB_RUN_NUMBER} ${SERVER_TYPE}
-
-  notification:
-    needs: gui-tests
-    if: github.event_name == 'schedule'
-    runs-on: ubuntu-latest
-    container:
-      image: owncloudci/alpine:latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: notify-matrix
-        env:
-          CACHE_ENDPOINT: ${{ env.S3_PUBLIC_CACHE_SERVER }}
-          CACHE_BUCKET: ${{ env.S3_PUBLIC_CACHE_BUCKET }}
-          MATRIX_TOKEN: ${{ secrets.MATRIX_TOKEN }}
-          GITHUB_BUILD_STATUS: ${{ needs.gui-tests.result }}
-          COMMIT_AUTHOR: ${{ github.event.head_commit.author.name }}
-        run: bash test/gui/ci/notification_template.sh .
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9ba98a0ec00..f0857f944ac 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -58,21 +58,21 @@ jobs:
     steps:
     - name: Check out full source code for tooling
       if: ${{ matrix.useSonarCloud || matrix.name  == 'linux-gcc-x86_64' }}
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
     - name: Check out latest commit
       if: ${{ !matrix.useSonarCloud && matrix.name  != 'linux-gcc-x86_64' }}
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       if: matrix.name  == 'windows-cl-x86_64'
       with:
         python-version: '3.12'
 
     - name: Restore cache
-      uses: actions/cache@v4
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: ~/cache
         key: ${{ runner.os }}-${{ matrix.target }}
@@ -171,7 +171,7 @@ jobs:
         Copy-Item "${env:GITHUB_WORKSPACE}/.craft.shelf" "${env:GITHUB_WORKSPACE}/binaries/"
 
     - name: Upload artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ matrix.name }}
         path: ${{ github.workspace }}/binaries/*