diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 39811e0..1bf8e68 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       # Third-party actions are SHA-pinned (tags can be repointed, SHAs can't);
       # the comment records the human-readable version for reviewable bumps.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
 
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8cec537..3f32bfe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       # All third-party actions are SHA-pinned per supply-chain best practice;
       # the comment records the human-readable version next to each SHA.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
 
       # IMPORTANT: do NOT set `registry-url` here. setup-node would generate
       # an .npmrc with `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}`;