diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 3d1d8de..3d58edd 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -41,7 +41,7 @@ jobs:
 
       # Upload is isolated from the scanner so Trivy never gets security-events write access.
       - name: Persist SARIF report
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: trivy-results
           path: trivy-results.sarif