diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d489002..9cc9fc9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,6 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Governance check
         run: echo "No repo-specific CI. Governance enforced via pr-check.yml."
\ No newline at end of file
diff --git a/.github/workflows/dependabot-cooldown-check.yml b/.github/workflows/dependabot-cooldown-check.yml
index f7daeed..e9c6fed 100644
--- a/.github/workflows/dependabot-cooldown-check.yml
+++ b/.github/workflows/dependabot-cooldown-check.yml
@@ -14,7 +14,7 @@ jobs:
   check-quarantined-prs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: config/conventions.json
           sparse-checkout-cone-mode: false
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index 9ab521e..33d15a3 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -13,7 +13,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: actions/configure-pages@v6
       - uses: actions/upload-pages-artifact@v5
         with: