diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 22830f2..bb5f19e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,27 +20,25 @@ jobs:
     name: Quality (Lint & Vuln)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version: "1.25.x"
-          cache: true
-          # Cache based on all go.sum files in the workspace to capture changes in examples/submodules
-          cache-dependency-path: |
-            **/go.sum
-            go.work.sum
+          cache-dependency-path: "**/*.sum"
 
-      - name: Cache Tools Binaries
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/bin
-            ~/.cache/golangci-lint
-          # Key depends ONLY on tools/tools.go and the root go.sum (where tools versions are pinned)
-          # This prevents tool rebuilds when app dependencies change
-          key: ${{ runner.os }}-tools-${{ hashFiles('tools/tools.go', 'go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-tools-
+      # - name: Cache Tools and Modules
+      #   uses: actions/cache@v4
+      #   with:
+      #     path: |
+      #       ~/go/bin
+      #       ~/go/pkg/mod
+      #       ~/.cache/golangci-lint
+      #     # Key based on tools/tools.go and go.sum (tool versions only)
+      #     # This cache is stable: only invalidates when tools change, not app dependencies
+      #     # Caches both binaries and modules to prevent re-downloading on every run
+      #     key: ${{ runner.os }}-tools-${{ hashFiles('tools/tools.go', 'go.sum') }}
+      #     restore-keys: |
+      #       ${{ runner.os }}-tools-
 
       - name: Install tools
         # Use make tools to install versions pinned in go.mod/tools.go
@@ -56,15 +54,13 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
           go-version: "1.25.x"
-          cache: true
-          # Cache based on all go.sum files in the workspace
           cache-dependency-path: |
-            **/go.sum
-            go.work.sum
+            tools/tools.go
+            go.mod
       - name: Test with coverage
         run: make test-coverage
       - name: Upload coverage to Codecov
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fcb5bf5..64cc92a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,9 +19,9 @@ jobs:
       matrix:
         language: ["go"]
     steps:
-      - uses: actions/checkout@v4
-      - uses: github/codeql-action/init@v3
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/autobuild@v3
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/autobuild@v4
+      - uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8159fa1..5feba0a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
     name: Semantic Release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0