diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7a98dce..d92a0b3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,7 +37,7 @@ jobs:
     name: shell syntax + shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: bash -n on tracked shell scripts
         run: |
@@ -61,7 +61,7 @@ jobs:
       matrix:
         arch: [arm64, x86_64]
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: build StackNudge.app
         run: ./build.sh ${{ matrix.arch }}
@@ -80,7 +80,7 @@ jobs:
     name: swift test
     runs-on: macos-15
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: print toolchain
         run: |
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index ebe463c..4c8c5b2 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -35,7 +35,7 @@ jobs:
       # The fallback `workflow_dispatch` trigger on release.yml stays —
       # if `RELEASE_PAT` is unset, the action uses GITHUB_TOKEN and you
       # can still dispatch the build manually.
-      - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         with:
           token: ${{ secrets.RELEASE_PAT }}
           config-file: .release-please-config.json
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4b70cce..63c04cf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -48,7 +48,7 @@ jobs:
       TARGET_TAG: ${{ inputs.tag || github.ref_name }}
 
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           # Check out the actual tag's commit rather than the workflow's
           # ref, so workflow_dispatch builds the same source the original
@@ -154,7 +154,7 @@ jobs:
       # tag_name explicit so workflow_dispatch attaches to the right release
       # — without it action-gh-release uses github.ref which is "main"-ish
       # for manual dispatches and fails to find a matching release.
-      - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+      - uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3
         with:
           tag_name: ${{ env.TARGET_TAG }}
           files: |