diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
index f6ceeab..c05dcf9 100644
--- a/.github/workflows/cd.yaml
+++ b/.github/workflows/cd.yaml
@@ -63,7 +63,7 @@ jobs:
       image_tag: ${{ steps.meta.outputs.tag }}
       environment: ${{ steps.env.outputs.environment }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Determine environment from branch
         id: env
@@ -153,7 +153,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-and-push
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.ref_name }}
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d0a0462..eab39b0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -20,7 +20,7 @@ jobs:
     name: Secret scan (gitleaks)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -46,7 +46,7 @@ jobs:
     # once Dependency Graph is enabled.
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: actions/dependency-review-action@v4
         with:
           fail-on-severity: high
@@ -56,7 +56,7 @@ jobs:
     name: Format check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -75,7 +75,7 @@ jobs:
     name: Sentinel policy tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Install Sentinel
         run: |
@@ -116,7 +116,7 @@ jobs:
           - argocd
           - monitoring
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -140,7 +140,7 @@ jobs:
           - vault-cluster
           - app-cluster
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -164,7 +164,7 @@ jobs:
       matrix:
         service: [web, auth, catalog, orders, gateway]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v5
         with:
@@ -202,7 +202,7 @@ jobs:
       matrix:
         overlay: [dev, staging]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Install kubeconform
         run: |
@@ -224,7 +224,7 @@ jobs:
     name: Container image scan
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Build image
         run: docker build -t netlix-web:ci app/services/web/
@@ -278,7 +278,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/drift-detection.yaml b/.github/workflows/drift-detection.yaml
index 807e0e7..0cd2980 100644
--- a/.github/workflows/drift-detection.yaml
+++ b/.github/workflows/drift-detection.yaml
@@ -37,7 +37,7 @@ jobs:
     name: Terraform fmt + validate
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -67,7 +67,7 @@ jobs:
       matrix:
         overlay: [dev, staging]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Install kubeconform
         run: |
@@ -89,7 +89,7 @@ jobs:
     name: Pinned image digests still resolve
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Extract digest-pinned images from manifests
         id: extract
diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml
index 7a50cc7..58a62ce 100644
--- a/.github/workflows/load-test.yaml
+++ b/.github/workflows/load-test.yaml
@@ -49,7 +49,7 @@ jobs:
       LOCUST_MAX_FAIL_RATIO: ${{ inputs.max_fail_ratio }}
       LOCUST_MAX_P95_MS: ${{ inputs.max_p95_ms }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/promote.yaml b/.github/workflows/promote.yaml
index 9e18171..bdc22cb 100644
--- a/.github/workflows/promote.yaml
+++ b/.github/workflows/promote.yaml
@@ -44,7 +44,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs.from }}
           fetch-depth: 0
@@ -105,7 +105,7 @@ jobs:
       LOCUST_MAX_FAIL_RATIO: '0.05'
       LOCUST_MAX_P95_MS: '2000'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs.from }}
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 9cce8a1..808097b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -21,7 +21,7 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: docker/login-action@v3
         with:
diff --git a/.github/workflows/sentinel-test.yaml b/.github/workflows/sentinel-test.yaml
index 8ceff9f..04c9ca2 100644
--- a/.github/workflows/sentinel-test.yaml
+++ b/.github/workflows/sentinel-test.yaml
@@ -8,7 +8,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Install Sentinel
         run: |