diff --git a/.github/workflows/backup.yml b/.github/workflows/backup.yml
index ef68a332..b5c1723e 100644
--- a/.github/workflows/backup.yml
+++ b/.github/workflows/backup.yml
@@ -12,7 +12,7 @@ jobs:
     
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
index 4adaf550..a376ddb5 100644
--- a/.github/workflows/build-and-release.yml
+++ b/.github/workflows/build-and-release.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/clear_cache.yml b/.github/workflows/clear_cache.yml
index e31dedab..18339a6d 100644
--- a/.github/workflows/clear_cache.yml
+++ b/.github/workflows/clear_cache.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Delete all caches
         env:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 7c245f70..8dea1e33 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Set up JDK 19
         uses: actions/setup-java@v5
diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml
index 4f361452..a56cec56 100644
--- a/.github/workflows/dependency-submission.yml
+++ b/.github/workflows/dependency-submission.yml
@@ -25,7 +25,7 @@ jobs:
   dependency-submission:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       # foojay-resolver was removed, so the jvmToolchain(21) request must be satisfied
       # by an installed JDK rather than auto-downloaded.
diff --git a/.github/workflows/gemini-invoke.yml b/.github/workflows/gemini-invoke.yml
index ff2e9ca8..2efab078 100644
--- a/.github/workflows/gemini-invoke.yml
+++ b/.github/workflows/gemini-invoke.yml
@@ -38,7 +38,7 @@ jobs:
           permission-pull-requests: 'write'
 
       - name: 'Checkout repository'
-        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v5
+        uses: 'actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0' # ratchet:actions/checkout@v5
         with:
           token: '${{ steps.mint_identity_token.outputs.token || secrets.GH_TOKEN || github.token }}'
           fetch-depth: 0
diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml
index dca574ca..6342a2fd 100644
--- a/.github/workflows/gemini-review.yml
+++ b/.github/workflows/gemini-review.yml
@@ -39,7 +39,7 @@ jobs:
           permission-pull-requests: 'write'
 
       - name: 'Checkout repository'
-        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v5
+        uses: 'actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0' # ratchet:actions/checkout@v5
 
       - name: 'Run Gemini pull request review'
         uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude
diff --git a/.github/workflows/gemini-scheduled-triage.yml b/.github/workflows/gemini-scheduled-triage.yml
index 3c289f70..6d0d8618 100644
--- a/.github/workflows/gemini-scheduled-triage.yml
+++ b/.github/workflows/gemini-scheduled-triage.yml
@@ -62,7 +62,7 @@ jobs:
           permission-pull-requests: 'write'
 
       - name: 'Checkout repository'
-        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v5
+        uses: 'actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0' # ratchet:actions/checkout@v5
 
       - name: 'Get available labels'
         id: 'get_labels'
diff --git a/.github/workflows/gemini-triage.yml b/.github/workflows/gemini-triage.yml
index f439abe7..c3f8d7a7 100644
--- a/.github/workflows/gemini-triage.yml
+++ b/.github/workflows/gemini-triage.yml
@@ -38,7 +38,7 @@ jobs:
           permission-pull-requests: 'write'
 
       - name: 'Checkout repository'
-        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v5
+        uses: 'actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0' # ratchet:actions/checkout@v5
 
       - name: 'Get available labels'
         id: 'get_labels'
diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
index 526e190c..0b164bee 100644
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
       - name: Setup Pages
         uses: actions/configure-pages@v6
       - name: Build with Jekyll
diff --git a/.github/workflows/jules-branch-manager.yml b/.github/workflows/jules-branch-manager.yml
index 7b80bc05..384f42d6 100644
--- a/.github/workflows/jules-branch-manager.yml
+++ b/.github/workflows/jules-branch-manager.yml
@@ -50,7 +50,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/jules-issue-handler.yml b/.github/workflows/jules-issue-handler.yml
index 508f402e..eb3471e2 100644
--- a/.github/workflows/jules-issue-handler.yml
+++ b/.github/workflows/jules-issue-handler.yml
@@ -42,8 +42,8 @@ jobs:
 
     steps:
       - name: Checkout repository
-        # TODO: replace with the SHA for actions/checkout@v6 once verified.
-        uses: actions/checkout@v6
+        # TODO: replace with the SHA for actions/checkout@v7 once verified.
+        uses: actions/checkout@v7
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/pr-contribution-guidelines-review.yml b/.github/workflows/pr-contribution-guidelines-review.yml
index 08309a35..55fb8628 100644
--- a/.github/workflows/pr-contribution-guidelines-review.yml
+++ b/.github/workflows/pr-contribution-guidelines-review.yml
@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         # Default behavior handles fork PRs correctly (checking out the merge commit)
         # whereas explicit ref: head_ref fails for forks if the branch isn't on origin.
 
diff --git a/.github/workflows/publish-play.yml b/.github/workflows/publish-play.yml
index cb073c0b..b3ee5a9a 100644
--- a/.github/workflows/publish-play.yml
+++ b/.github/workflows/publish-play.yml
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
         with:
           # Full history so `git rev-list --count HEAD` yields a stable, monotonic
           # versionCode for Play (Play rejects duplicate or lower codes).
diff --git a/.github/workflows/summary.yml b/.github/workflows/summary.yml
index 93cdcff9..0923972f 100644
--- a/.github/workflows/summary.yml
+++ b/.github/workflows/summary.yml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7
 
       - name: Run AI inference
         id: inference