diff --git a/template/.github/workflows/build.yml b/template/.github/workflows/build.yml
index ef2ae55..96e5e01 100644
--- a/template/.github/workflows/build.yml
+++ b/template/.github/workflows/build.yml
@@ -13,7 +13,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
       - name: Set up pixi
diff --git a/template/.github/workflows/ci.yml.jinja b/template/.github/workflows/ci.yml.jinja
index 805eae7..87ef998 100644
--- a/template/.github/workflows/ci.yml.jinja
+++ b/template/.github/workflows/ci.yml.jinja
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Set up pixi
         uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6
       - name: Run linting
@@ -48,7 +48,7 @@ jobs:
           - windows-latest{% raw %}
     steps:
       - name: Checkout branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
       - name: Set up pixi
diff --git a/template/.github/workflows/scorecard.yml.jinja b/template/.github/workflows/scorecard.yml.jinja
index 227665e..6d3e789 100644
--- a/template/.github/workflows/scorecard.yml.jinja
+++ b/template/.github/workflows/scorecard.yml.jinja
@@ -38,7 +38,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
 
@@ -77,7 +77,7 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
           sarif_file: results.sarif
 {%- endraw %}
diff --git a/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %} b/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %}
index eaa27c2..3cb208b 100644
--- a/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %}	
+++ b/template/.github/workflows/{% if add_autobump_workflow %}update-lockfiles.yml{% endif %}	
@@ -12,7 +12,7 @@ jobs:
   pixi-update:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Set up pixi
         uses: prefix-dev/setup-pixi@5185adfbffb4bd703da3010310260805d89ebb11 # v0.9.6
         with: