diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
index cbcd248..37d3a46 100644
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Setup Ruby
         id: setup-ruby
diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
index 2d879f2..597399c 100644
--- a/.github/workflows/pypi-publish.yml
+++ b/.github/workflows/pypi-publish.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
 
@@ -129,7 +129,7 @@ jobs:
       id-token: write
 
     steps:
-    - uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
     - name: Set up Python
       uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml
index 1eab0c1..f9c97ac 100644
--- a/.github/workflows/python-tests.yml
+++ b/.github/workflows/python-tests.yml
@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
diff --git a/.github/workflows/sign-release.yml b/.github/workflows/sign-release.yml
index 90091a3..f13826b 100644
--- a/.github/workflows/sign-release.yml
+++ b/.github/workflows/sign-release.yml
@@ -13,7 +13,7 @@ jobs:
   sign:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
index ba8f822..15d954a 100644
--- a/.github/workflows/snyk-security.yml
+++ b/.github/workflows/snyk-security.yml
@@ -35,7 +35,7 @@ jobs:
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       - name: Set up Snyk CLI to check for security issues
         # Snyk can be used to break the build when it detects security issues.
         # In this case we want to upload the SAST issues to GitHub Code Scanning
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index d47ca00..7c8c8fc 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -58,7 +58,7 @@ jobs:
         tool: [bandit, ruff, mypy, pylint, codeql, snyk]
     steps:
       - name: Checkout code
-        uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
 
       - name: Set up Python
         if: matrix.tool != 'codeql'  # CodeQL has its own Python setup
@@ -241,7 +241,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f # Pin to v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # Pin to v4
         with:
           # Sonar needs full history for accurate blame information and new code detection
           fetch-depth: 0