diff --git a/.github/workflows/auto-approve-deps.yml b/.github/workflows/auto-approve-deps.yml
index 6e2e0da76..5c76cd509 100644
--- a/.github/workflows/auto-approve-deps.yml
+++ b/.github/workflows/auto-approve-deps.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Fetch and confirm dependabot metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@v2.2.0
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4.2.0
       - name: Approve a PR if not already approved
         run: |
           gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index ce142ccfe..b8a46453c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v4.2.0
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/lint-pr-title-body.yml b/.github/workflows/lint-pr-title-body.yml
index 8cc4cf0af..faf9e0388 100644
--- a/.github/workflows/lint-pr-title-body.yml
+++ b/.github/workflows/lint-pr-title-body.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4.2.0
       - name: Use LTS Node.js
         uses: actions/setup-node@v4.0.4
         with:
diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index d5eaabf64..f0e813e60 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -20,9 +20,9 @@ jobs:
       Editable: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
 
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4.2.0
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4.2.0
         if: github.event_name == 'pull_request_target'
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 73933fc14..83ccdded3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v4.2.0
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/scan-deps.yml b/.github/workflows/scan-deps.yml
index f87f931c0..ff48efe26 100644
--- a/.github/workflows/scan-deps.yml
+++ b/.github/workflows/scan-deps.yml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v4.2.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/update-dicts.yml b/.github/workflows/update-dicts.yml
index fb8d42fcd..df3f915b6 100644
--- a/.github/workflows/update-dicts.yml
+++ b/.github/workflows/update-dicts.yml
@@ -8,7 +8,7 @@ jobs:
   update-dicts:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.1.7
+      - uses: actions/checkout@v4.2.0
       - uses: actions/setup-node@v4.0.4
         with:
           node-version: lts/*