diff --git a/.github/workflows/compose-lint.yml b/.github/workflows/compose-lint.yml
index 60d805d..df67366 100644
--- a/.github/workflows/compose-lint.yml
+++ b/.github/workflows/compose-lint.yml
@@ -64,13 +64,13 @@ jobs:
       lint-result: ${{ steps.results.outputs.lint-result }}
     steps:
       - name: Checkout target repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           repository: ${{ inputs.target-repository }}
           ref: ${{ inputs.target-ref }}
 
       - name: Checkout compose-workflow for linting scripts
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           repository: owine/compose-workflow
           ref: main
diff --git a/.github/workflows/compose-security.yml b/.github/workflows/compose-security.yml
index ca44aaa..7cd84b7 100644
--- a/.github/workflows/compose-security.yml
+++ b/.github/workflows/compose-security.yml
@@ -76,7 +76,7 @@ jobs:
       trivy-result: ${{ steps.results.outputs.trivy-result }}
     steps:
       - name: Checkout target repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           repository: ${{ inputs.target-repository }}
           ref: ${{ inputs.target-ref }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 6653f19..c46126b 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -79,12 +79,12 @@ jobs:
       has_disabled_stacks: ${{ steps.discover-stacks.outputs.has_disabled_stacks }}
       critical_stacks: ${{ steps.detect-critical.outputs.critical_stacks }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           fetch-depth: 0
           ref: ${{ inputs.target-ref }}
 
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           repository: owine/compose-workflow
           ref: main
@@ -257,7 +257,7 @@ jobs:
       # actions/checkout authenticates via GITHUB_TOKEN; the deploy user has no
       # GitHub credentials, so we fetch into the workspace and then sync the
       # live tree from the local workspace (no network auth required).
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         if: steps.skip-gate.outputs.skipped == 'false'
         with:
           fetch-depth: 0
@@ -756,7 +756,7 @@ jobs:
           (needs.prepare.outputs.has_removed_stacks == 'true' ||
            needs.prepare.outputs.has_existing_stacks == 'true' ||
            needs.prepare.outputs.has_new_stacks == 'true')
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           repository: owine/compose-workflow
           sparse-checkout: scripts/deployment
diff --git a/.github/workflows/workflow-lint.yml b/.github/workflows/workflow-lint.yml
index e5c502a..32e0b02 100644
--- a/.github/workflows/workflow-lint.yml
+++ b/.github/workflows/workflow-lint.yml
@@ -18,7 +18,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
 
       - name: Run yamllint
         id: yamllint