diff --git a/.github/workflows/code-analysis-built-module.yml b/.github/workflows/code-analysis-built-module.yml
index 2ca38ceb94..ce1812ca36 100644
--- a/.github/workflows/code-analysis-built-module.yml
+++ b/.github/workflows/code-analysis-built-module.yml
@@ -67,6 +67,6 @@ jobs:
 
           Write-Information -MessageData 'Analyzing done.' -InformationAction 'Continue'
       - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
index 74ca691989..a6f127a27d 100644
--- a/.github/workflows/code-analysis.yml
+++ b/.github/workflows/code-analysis.yml
@@ -77,6 +77,6 @@ jobs:
 
           Write-Information -MessageData 'Analyzing done.' -InformationAction 'Continue'
       - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: results.sarif
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2553a1e3c9..aa6fd6c347 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -199,6 +199,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   with improved task grouping and problem matchers.
 - Updated instruction files to use correct build command (`noop` instead of
   `build`) and fixed file pattern matching syntax.
+- Bump GitHub actions codeql-action/upload-sarif to v4
 
 ## [17.2.0] - 2025-09-16