diff --git a/.github/actions/gradle-task-with-commit/action.yml b/.github/actions/gradle-task-with-commit/action.yml
index 78bce5ab23..fa3d8eb7c5 100644
--- a/.github/actions/gradle-task-with-commit/action.yml
+++ b/.github/actions/gradle-task-with-commit/action.yml
@@ -45,7 +45,7 @@ runs:
 
     # ensure that we have the actual branch checked out.  By default, actions/checkout is headless.
     - name: check out with PAT
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       if: steps.can-push.outputs.can_push == 'true'
       with:
         token: ${{ inputs.personal-access-token }}
diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml
index 252864073d..204492e0b3 100644
--- a/.github/workflows/publish-snapshot.yml
+++ b/.github/workflows/publish-snapshot.yml
@@ -13,7 +13,7 @@ jobs:
     timeout-minutes: 35
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Check for -SNAPSHOT version
         uses: ./.github/actions/gradle-task
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
index 75db9c5676..6806a2bb77 100644
--- a/.github/workflows/validate-codeowners.yml
+++ b/.github/workflows/validate-codeowners.yml
@@ -12,7 +12,7 @@ jobs:
     name: Validate Codeowners
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       # https://github.com/marketplace/actions/github-codeowners-validator
       - uses: mszostok/codeowners-validator@v0.7.4
         with:
diff --git a/.github/workflows/validate-documentation.yml b/.github/workflows/validate-documentation.yml
index 105bebfc9b..e10e88bb65 100644
--- a/.github/workflows/validate-documentation.yml
+++ b/.github/workflows/validate-documentation.yml
@@ -14,7 +14,7 @@ jobs:
     name: Lint Markdown files
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Set up Ruby 2.6
         uses: ruby/setup-ruby@v1
         with: