diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index ccbbe26ecdcdf..4d972047b9432 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -33,6 +33,6 @@ jobs:
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - name: Build check
         run: .github/workflows/build_test.sh
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d66dcdc7e8912..a213c289edea4 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 05bf751924d54..f828818453812 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -22,7 +22,7 @@ jobs:
       COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
     steps:
       - name: Repository checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       # Reuse the setup phase of the unit test script to avoid code duplication
       - name: Install build dependencies
         run: sudo -E .github/workflows/unit_tests.sh SETUP
diff --git a/.github/workflows/development_freeze.yml b/.github/workflows/development_freeze.yml
index 17065b24d2753..11050528bce4b 100644
--- a/.github/workflows/development_freeze.yml
+++ b/.github/workflows/development_freeze.yml
@@ -63,7 +63,7 @@ jobs:
             core.exportVariable('pr_number', pr_number);
 
       - name: Repository checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index 1a3615360591c..2c43292e269e2 100644
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index c85795cbb5f1b..2dfcc7f46533b 100644
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml
index e57ac70bcdbd0..37b07c33e7bc3 100644
--- a/.github/workflows/issue_labeler.yml
+++ b/.github/workflows/issue_labeler.yml
@@ -20,7 +20,7 @@ jobs:
         template: [ bug_report.yml, feature_request.yml ]
 
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
 
       - name: Parse issue form
         uses: stefanbuck/github-issue-parser@c1a559d78bfb8dd05216dab9ffd2b91082ff5324
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index d1b363824e5fd..d1e0af7754962 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Repo checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
         with:
           # We need a full repo clone
           fetch-depth: 0
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 55bbad2bde228..cdc2c97d1cddb 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -75,7 +75,7 @@ jobs:
       SYSTEMD_LOG_LEVEL: debug
 
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+    - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
     - uses: systemd/mkosi@adaa41512aa30c952daae5ba0abcf2622d66b93b
 
     - name: Configure
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 062a95af2faa9..fbec4a872dd11 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index e2dd8c3da25a6..432c3a42e85ea 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -30,7 +30,7 @@ jobs:
             cryptolib: gcrypt
     steps:
       - name: Repository checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - name: Install build dependencies
         run: |
           # Drop XDG_* stuff from /etc/environment, so we don't get the user