diff --git a/.github/workflows/bot-merge-conflict.yml b/.github/workflows/bot-merge-conflict.yml
index 8794842ba..2ff5eea0b 100644
--- a/.github/workflows/bot-merge-conflict.yml
+++ b/.github/workflows/bot-merge-conflict.yml
@@ -33,7 +33,7 @@ jobs:
           ref: ${{ github.event.repository.default_branch }}
 
       - name: Harden the runner
-        uses: step-security/harden-runner@20cf3052978e1b6646b35198a5d69ed51a6c9d71 # v2.14.0
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index da0d24095..c11ca84b6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -73,6 +73,9 @@ This changelog is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.
 - Coderabbit prompt for .github
 - Added merge conflict bot workflow (`.github/workflows/bot-merge-conflict.yml`) and helper script (`.github/scripts/bot-merge-conflict.js`) to detect and notify about PR merge conflicts, with retry logic for unknown mergeable states, idempotent commenting, and push-to-main recheck logic (#1247)
 
+### Fixed
+- Fixed step-security/harden-runner action SHA in merge conflict bot workflow (#1278)
+
 ### Changed
 - Bumped requests from 2.32.3 to 2.32.4 to 2.32.5
 - Moved `docs/sdk_developers/how_to_link_issues.md` to `docs/sdk_developers/training/workflow/how_to_link_issues.md` and updated all references (#1222)