diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 3c5294fe..09378986 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -25,7 +25,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6b9a13de..bdc1ff6a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -55,7 +55,7 @@ jobs:
       # authenticate as the GitHub App (which has bypass permissions).
       # persist-credentials: false prevents the default GITHUB_TOKEN from
       # being cached by git credential helpers, ensuring the app token is used.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           token: ${{ steps.app-token.outputs.token }}
           persist-credentials: false