diff --git a/app/server/verify_workflow.go b/app/server/verify_workflow.go
index e72a3ce3..dc4c071b 100644
--- a/app/server/verify_workflow.go
+++ b/app/server/verify_workflow.go
@@ -271,7 +271,7 @@ func (g *githubVerifier) contains(owner, repo, hash string) (bool, error) {
 	// github/codeql-action has commits from their release branches that don't show up in the default branch
 	// this isn't the best approach for now, but theres no universal "does this commit belong to this repo" call
 	case owner == "github" && repo == "codeql-action":
-		releaseBranches := []string{"releases/v3", "releases/v2", "releases/v1"}
+		releaseBranches := []string{"releases/v4", "releases/v3", "releases/v2", "releases/v1"}
 		for _, branch := range releaseBranches {
 			contains, err = g.branchContains(branch, owner, repo, hash)
 			if err != nil {
diff --git a/app/server/verify_workflow_test.go b/app/server/verify_workflow_test.go
index 156d03fe..e3b98d59 100644
--- a/app/server/verify_workflow_test.go
+++ b/app/server/verify_workflow_test.go
@@ -123,6 +123,7 @@ func Test_githubVerifier_contains_codeql_v1(t *testing.T) {
 			responsePaths: map[string]string{
 				"codeql-action":   "./testdata/api/github/repository.json",     // api call which finds the default branch
 				"main...somehash": "./testdata/api/github/divergent.json",      // doesnt belong to default branch
+				"v4...somehash":   "./testdata/api/github/divergent.json",      // doesnt belong to releases/v4 branch
 				"v3...somehash":   "./testdata/api/github/divergent.json",      // doesnt belong to releases/v3 branch
 				"v2...somehash":   "./testdata/api/github/divergent.json",      // doesnt belong to releases/v2 branch
 				"v1...somehash":   "./testdata/api/github/containsCommit.json", // belongs to releases/v1 branch
@@ -150,6 +151,7 @@ func Test_githubVerifier_contains_codeql_v2(t *testing.T) {
 			responsePaths: map[string]string{
 				"codeql-action":   "./testdata/api/github/repository.json",     // api call which finds the default branch
 				"main...somehash": "./testdata/api/github/divergent.json",      // doesnt belong to default branch
+				"v4...somehash":   "./testdata/api/github/divergent.json",      // doesnt belong to releases/v4 branch either
 				"v3...somehash":   "./testdata/api/github/divergent.json",      // doesnt belong to releases/v3 branch either
 				"v2...somehash":   "./testdata/api/github/containsCommit.json", // belongs to releases/v2 branch
 			},