diff --git a/.github/actions/install-zstd/action.yml b/.github/actions/install-zstd/action.yml
index d60418b1df..fa103b0ec5 100644
--- a/.github/actions/install-zstd/action.yml
+++ b/.github/actions/install-zstd/action.yml
@@ -8,6 +8,10 @@ inputs:
     description: 'zstd version'
     required: false
     default: '1.5.7'
+  checksum:
+    description: 'zstd checksum'
+    required: false
+    default: 'acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9'
 
 runs:
   using: composite
@@ -17,10 +21,16 @@ runs:
       shell: pwsh
       env:
         ZSTD_VERSION: ${{ inputs.version }}
+        ZSTD_CHECKSUM: ${{ inputs.checksum }}
       run: |
         $url = "https://github.com/facebook/zstd/releases/download/v$env:ZSTD_VERSION/zstd-v$env:ZSTD_VERSION-win64.zip"
         $installDir = "$env:RUNNER_TOOL_CACHE\zstd-v$env:ZSTD_VERSION-win64"
         Invoke-WebRequest -OutFile "$env:TEMP\zstd.zip" -Uri $url
+        $checksum = (Get-FileHash "$env:TEMP\zstd.zip" -Algorithm SHA256).Hash.ToLower()
+        if ($checksum -ne $env:ZSTD_CHECKSUM) {
+          Write-Error "zstd checksum verification failed. Expected: $env:ZSTD_CHECKSUM, Actual: $checksum"
+          exit 1
+        }
         Expand-Archive -Path "$env:TEMP\zstd.zip" -DestinationPath $env:RUNNER_TOOL_CACHE -Force
         echo "$installDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
         & "$installDir\zstd.exe" --version