diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index 9e91983a..e7c1b796 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -30,6 +30,6 @@ jobs:
           name: scorecard-results
           path: results.sarif
           retention-days: 30
-      - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+      - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/security-scans.yaml b/.github/workflows/security-scans.yaml
index 90900b81..f110619b 100644
--- a/.github/workflows/security-scans.yaml
+++ b/.github/workflows/security-scans.yaml
@@ -36,7 +36,7 @@ jobs:
           exit-code: 0  # Informational — upstream dependency CVEs in community examples
           format: sarif
           output: trivy-results.sarif
-      - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+      - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4
         if: always()
         with:
           sarif_file: trivy-results.sarif
@@ -49,11 +49,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
-      - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+      - uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4
         with:
           languages: python
           queries: security-extended
-      - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+      - uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4
 
   hadolint:
     runs-on: ubuntu-latest