diff --git a/.github/workflows/go-pr.yaml b/.github/workflows/go-pr.yaml
index 19783ce..5fbac77 100644
--- a/.github/workflows/go-pr.yaml
+++ b/.github/workflows/go-pr.yaml
@@ -119,7 +119,7 @@ jobs:
 
       - name: Upload gosec SARIF
         if: always() && hashFiles('gosec-results.sarif') != ''
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: gosec-results.sarif
           category: gosec
@@ -142,15 +142,15 @@ jobs:
           cache: true
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
 
   test:
     name: Tests & Coverage
diff --git a/.github/workflows/go-release.yaml b/.github/workflows/go-release.yaml
index 7c29558..d0d257c 100644
--- a/.github/workflows/go-release.yaml
+++ b/.github/workflows/go-release.yaml
@@ -131,14 +131,13 @@ jobs:
           HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
 
       # Rolling release (optional, e.g., v1 for GitHub Actions)
-      - name: Delete existing rolling release
+      - name: Update rolling release tag
         if: inputs.rolling-release-tag != ''
         run: |
-          gh release delete ${{ inputs.rolling-release-tag }} --cleanup-tag -y || true
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          git tag -f ${{ inputs.rolling-release-tag }}
+          git push origin ${{ inputs.rolling-release-tag }} --force
 
-      - name: Create rolling release
+      - name: Update or create rolling release
         if: inputs.rolling-release-tag != ''
         uses: ncipollo/release-action@v1
         with: