diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index 24a30fde..6f65f0a3 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -33,7 +33,7 @@ jobs:
         run: NO_GPG_SIGN=true ./gradlew --stacktrace check test build javadocJar publishToMavenLocal
 
       - name: Upload jars
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: maven-repo
           path: ~/.m2/repository/com/yubico/yubikit/
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index c1e9c91a..5aa14749 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -68,7 +68,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: SARIF file
           path: results.sarif
diff --git a/.github/workflows/spotbugs-scan.yml b/.github/workflows/spotbugs-scan.yml
index f46266bb..437d2d49 100644
--- a/.github/workflows/spotbugs-scan.yml
+++ b/.github/workflows/spotbugs-scan.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Build with Gradle
         run: ./gradlew spotbugsRelease spotbugsMain
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: sarif-files
           path: ./build/spotbugs/*.sarif