diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 63541ae..d762f0a 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -59,6 +59,6 @@ jobs:
 
       # SARIF into the Security tab so findings show up per-PR.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 019f2d0..808e6b9 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -43,6 +43,6 @@ jobs:
           format: sarif
           output: trivy-fs.sarif
       - if: always()
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
         with:
           sarif_file: trivy-fs.sarif