diff --git a/.github/workflows/analysis-codeql.yml b/.github/workflows/analysis-codeql.yml
index da477adbf..51cf1bec6 100644
--- a/.github/workflows/analysis-codeql.yml
+++ b/.github/workflows/analysis-codeql.yml
@@ -51,7 +51,7 @@ jobs:
           storage.googleapis.com:443
           uploads.github.com:443
     - name: Checkout repository
-      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         fetch-depth: 0
     - name: Setup Go
diff --git a/.github/workflows/analysis-nilaway.yml b/.github/workflows/analysis-nilaway.yml
index 01727d9b5..055566152 100644
--- a/.github/workflows/analysis-nilaway.yml
+++ b/.github/workflows/analysis-nilaway.yml
@@ -21,7 +21,7 @@ jobs:
           allowed-endpoints: >
             github.com:443
       - name: Checkout repository
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Nil panic checks
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7c4f74817..5bb33610a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,7 +94,7 @@ jobs:
         run: |
           echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
       - name: Checkout source
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -180,7 +180,7 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
       - name: Checkout repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Set up environment
@@ -268,7 +268,7 @@ jobs:
             registry-1.docker.io:443
             rekor.sigstore.dev:443
       - name: Checkout repo
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Set up environment
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index d6ca6502a..6b35edfdc 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -48,7 +48,7 @@ jobs:
             tuf-repo-cdn.sigstore.dev:443
             www.bestpractices.dev:443
       - name: "Checkout code"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: "Run analysis"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7113f6e7f..32c64a3df 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -41,7 +41,7 @@ jobs:
             sum.golang.org:443
       - name: Checkout
         id: checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Set up Go
@@ -84,7 +84,7 @@ jobs:
             raw.githubusercontent.com:443
             storage.googleapis.com:443
             sum.golang.org:443
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: 'go.mod'