diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2b58772..f911a94 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       # Third-party actions are SHA-pinned (tags can be repointed, SHAs can't);
       # the comment records the human-readable version for reviewable bumps.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
 
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e3d3ab9..4c51e33 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       # All third-party actions are SHA-pinned per supply-chain best practice;
       # the comment records the human-readable version next to each SHA.
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
 
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with: