diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8b79f5e..6983777 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       # SHA-pinned per /cso security review (v0.1.10). Floating tags are mutable;
       # SHAs are not. Dependabot bumps these in .github/dependabot.yml.
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: ${{ matrix.node }}