diff --git a/.github/workflows/calculator-cli.yml b/.github/workflows/calculator-cli.yml
index 737c690..fc045e0 100644
--- a/.github/workflows/calculator-cli.yml
+++ b/.github/workflows/calculator-cli.yml
@@ -31,11 +31,11 @@ jobs:
           make build-cli
           syft calculator \
             -o spdx-json=calculator.spdx.json
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: calculator
           path: calculator
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: calculator.spdx.json
           path: calculator.spdx.json
@@ -64,11 +64,11 @@ jobs:
       - provenance
     steps:
       - name: Download calculator binary
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: calculator
       - name: Download provenance
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
       - name: Install slsa-verifier
@@ -91,15 +91,15 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Download calculator binary
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: calculator
       - name: Download SBOM
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: calculator.spdx.json
       - name: Download provenance
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.provenance.outputs.provenance-name }}
       - name: Release