diff --git a/.github/workflows/collect.yml b/.github/workflows/collect.yml
index 4dc2a16..3728a23 100644
--- a/.github/workflows/collect.yml
+++ b/.github/workflows/collect.yml
@@ -24,7 +24,7 @@ jobs:
       # readable version in a trailing comment) per GitHub's supply-chain
       # hardening guidance. Dependabot keeps the pin current via PRs — do
       # not "clean up" the SHA back to a tag.
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Collect traffic data
         env:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9b27eff..b3053c2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       # SHA-pinned per supply-chain hardening guidance; Dependabot keeps it
       # current. See .github/workflows/collect.yml for the full rationale.
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Run shellcheck
         run: shellcheck scripts/*.sh