diff --git a/.github/workflows/auto-approve-deps.yml b/.github/workflows/auto-approve-deps.yml
index 5a84dede5..cb4d93112 100644
--- a/.github/workflows/auto-approve-deps.yml
+++ b/.github/workflows/auto-approve-deps.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Fetch and confirm dependabot metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@v2.2.0
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@v4.2.2
       - name: Approve a PR if not already approved
         run: |
           gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 72c30c3da..c17d35658 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.2.1
+        uses: actions/checkout@v4.2.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/lint-pr-title-body.yml b/.github/workflows/lint-pr-title-body.yml
index 49416ce55..48e6affc4 100644
--- a/.github/workflows/lint-pr-title-body.yml
+++ b/.github/workflows/lint-pr-title-body.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@v4.2.2
       - name: Use LTS Node.js
         uses: actions/setup-node@v4.0.4
         with:
diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index e6f10d05c..74af77cfe 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -20,9 +20,9 @@ jobs:
       Editable: github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch'
 
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@v4.2.2
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@v4.2.2
         if: github.event_name == 'pull_request_target'
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cd7731c16..cc5670751 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.1
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.github/workflows/scan-deps.yml b/.github/workflows/scan-deps.yml
index e096f52a6..5ecd02d45 100644
--- a/.github/workflows/scan-deps.yml
+++ b/.github/workflows/scan-deps.yml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v4.2.1
+        uses: actions/checkout@v4.2.2
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/update-dicts.yml b/.github/workflows/update-dicts.yml
index 44ca5ec89..9bbba143e 100644
--- a/.github/workflows/update-dicts.yml
+++ b/.github/workflows/update-dicts.yml
@@ -8,7 +8,7 @@ jobs:
   update-dicts:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@v4.2.2
       - uses: actions/setup-node@v4.0.4
         with:
           node-version: lts/*