diff --git a/.github/workflows/check_gpg_keys.yml b/.github/workflows/check_gpg_keys.yml
index ce4469d3fe..12881f4443 100644
--- a/.github/workflows/check_gpg_keys.yml
+++ b/.github/workflows/check_gpg_keys.yml
@@ -10,7 +10,7 @@ jobs:
     outputs:
       key_ids: ${{ steps.extract-key-ids.outputs.key_ids }}
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
       - name: Extract key ids from .gpg-id and output as a json list
         id: extract-key-ids
         run: echo "key_ids=$(jq -c --raw-input --slurp 'split("\n") | map(select(. != ""))' .gpg-id)" >> $GITHUB_OUTPUT
@@ -25,6 +25,6 @@ jobs:
     env:
       GPG_KEY_ID: ${{ matrix.key_id }}
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
       - name: Import key from keyserver
         run: make .download-gpg-key
diff --git a/.github/workflows/generate_buildpack_bump_pr.yml b/.github/workflows/generate_buildpack_bump_pr.yml
index dcca7b5271..9c9adb2a06 100644
--- a/.github/workflows/generate_buildpack_bump_pr.yml
+++ b/.github/workflows/generate_buildpack_bump_pr.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       ## Setup
       - name: Checkout repo
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           submodules: true
           # auth will be retained by repo configuration
diff --git a/.github/workflows/test_on_pr.yml b/.github/workflows/test_on_pr.yml
index afdf4f6f92..ed40803a64 100644
--- a/.github/workflows/test_on_pr.yml
+++ b/.github/workflows/test_on_pr.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       ## Setup
       - name: Checkout repo
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           submodules: true