diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8b79f5e..a08f5a9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       # SHA-pinned per /cso security review (v0.1.10). Floating tags are mutable;
       # SHAs are not. Dependabot bumps these in .github/dependabot.yml.
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: ${{ matrix.node }}