diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 097a0f5..61f9ef1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -100,7 +100,7 @@ jobs:
         if: needs.changes.outputs.code != 'true'
         run: echo "docs-only PR — skipping build & test (matrix=${{ matrix.go-version }})"
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         if: needs.changes.outputs.code == 'true'
 
       - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
@@ -169,7 +169,7 @@ jobs:
       run:
         working-directory: npm
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: "22"
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 6df185f..5773406 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -107,7 +107,7 @@ jobs:
       # named branch — letting an attacker who creates a branch matching
       # the tag substitute branch contents into the published tarball
       # while the gate still validates the legitimate release.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: refs/tags/${{ steps.version.outputs.TAG }}
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index e53182c..46e1ca1 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -71,7 +71,7 @@ jobs:
       # the build source while the release evidence still refers to the
       # legitimate tag. Forcing the tags namespace disambiguates.
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: refs/tags/${{ inputs.tag }}
           fetch-depth: 0