diff --git a/.github/workflows/analyze-detekt.yml b/.github/workflows/analyze-detekt.yml
index 72ee5d0..3b7dabb 100644
--- a/.github/workflows/analyze-detekt.yml
+++ b/.github/workflows/analyze-detekt.yml
@@ -20,7 +20,7 @@ jobs:
       run: |
         JARFILE="$(mktemp -d)/detekt.jar"
         curl --request GET \
-          --url https://github.com/detekt/detekt/releases/download/v1.17.1/detekt-cli-1.17.1-all.jar \
+          --url https://github.com/detekt/detekt/releases/download/v1.23.7/detekt-cli-1.23.7-all.jar \
           --silent \
           --location \
           --output $JARFILE
@@ -32,7 +32,7 @@ jobs:
           --input ${{ github.workspace }} \
           --report sarif:${{ github.workspace }}/detekt.sarif.json
     - name: Upload results
-      uses: github/codeql-action/upload-sarif@v1
+      uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: ${{ github.workspace }}/detekt.sarif.json
         checkout_path: ${{ github.workspace }}
diff --git a/.github/workflows/test-publish.yml b/.github/workflows/test-publish.yml
index 5e87e1d..0e18085 100644
--- a/.github/workflows/test-publish.yml
+++ b/.github/workflows/test-publish.yml
@@ -32,6 +32,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libunistring-dev libc6-dev-i386
         if: runner.os == 'Linux'
+      - run: |
+          # Avoid "No usable sandbox" errors on Ubuntu, based on the instructions found here:
+          # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+          echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
+        if: runner.os == 'Linux'
       - run: ./gradlew assemble check
         env:
           ORG_GRADLE_PROJECT_targets: ${{ matrix.targets }}