diff --git a/.github/workflows/publish-release-npm-package.yml b/.github/workflows/publish-release-npm-package.yml
index 9ebe4d5..2e4d633 100644
--- a/.github/workflows/publish-release-npm-package.yml
+++ b/.github/workflows/publish-release-npm-package.yml
@@ -17,7 +17,7 @@ jobs:
             id-token: write
         steps:
             - name: 🧮 Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
             - name: 🔧 Yarn cache
               uses: actions/setup-node@v4
diff --git a/.github/workflows/reusable-playwright-tests.yml b/.github/workflows/reusable-playwright-tests.yml
index f10d7d5..c576e88 100644
--- a/.github/workflows/reusable-playwright-tests.yml
+++ b/.github/workflows/reusable-playwright-tests.yml
@@ -14,7 +14,7 @@ jobs:
         name: Run Playwright end-to-end tests & upload html report
         runs-on: ubuntu-24.04-arm
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
               with:
                   repository: ${{ inputs.webapp-artifact && 'element-hq/element-modules' || github.repository }}
 
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 9078d3f..4100748 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -31,7 +31,7 @@ jobs:
                   target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
             - name: "🧮 Checkout code"
-              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
               with:
                   repository: ${{ github.event.workflow_run.head_repository.full_name }}
                   ref: ${{ github.event.workflow_run.head_branch }} # checkout commit that triggered this workflow
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
index 1c87aef..32f1c26 100644
--- a/.github/workflows/static-analysis.yaml
+++ b/.github/workflows/static-analysis.yaml
@@ -24,7 +24,7 @@ jobs:
                     - lint:prettier
                     - lint:knip
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
             - uses: actions/setup-node@v4
               with:
diff --git a/.github/workflows/synapse-module.yml b/.github/workflows/synapse-module.yml
index b3f9891..1cc38f5 100644
--- a/.github/workflows/synapse-module.yml
+++ b/.github/workflows/synapse-module.yml
@@ -17,7 +17,7 @@ jobs:
         env:
             DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
             - name: Login to ghcr.io
               uses: docker/login-action@v3
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a8d8d22..3e09352 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -14,7 +14,7 @@ jobs:
         name: Run tests & upload coverage reports
         runs-on: ubuntu-24.04-arm
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
             - uses: actions/setup-node@v4
               with: