diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8e8c478..e8faae8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
     # accidentally raise the minimum glibc your binaries require.
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       # Tauri v2 needs these system libs to compile on Linux.
       - name: Install Tauri system dependencies
@@ -56,7 +56,7 @@ jobs:
     name: Frontend lint & audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: actions/setup-node@v4
         with:
           node-version: lts/*
@@ -71,7 +71,7 @@ jobs:
     name: Secret scan (gitleaks)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0   # gitleaks needs full history to scan all commits
       - uses: gitleaks/gitleaks-action@v2
@@ -82,7 +82,7 @@ jobs:
     name: Dependency policy (cargo-deny)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: EmbarkStudios/cargo-deny-action@v2
         with:
           manifest-path: src-tauri/Cargo.toml
@@ -91,7 +91,7 @@ jobs:
     name: SAST (semgrep)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - run: pipx install semgrep
       # `--config auto` pulls community rulesets for Rust + JS/TS;
       # `--error` makes a finding fail the job.