diff --git a/.github/workflows/collect.yml b/.github/workflows/collect.yml
index 4dc2a16..be52499 100644
--- a/.github/workflows/collect.yml
+++ b/.github/workflows/collect.yml
@@ -24,7 +24,7 @@ jobs:
       # readable version in a trailing comment) per GitHub's supply-chain
       # hardening guidance. Dependabot keeps the pin current via PRs — do
       # not "clean up" the SHA back to a tag.
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Collect traffic data
         env:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9b27eff..05b7f22 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       # SHA-pinned per supply-chain hardening guidance; Dependabot keeps it
       # current. See .github/workflows/collect.yml for the full rationale.
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Run shellcheck
         run: shellcheck scripts/*.sh