diff --git a/.github/workflows/coverity_scan.yml b/.github/workflows/coverity_scan.yml
index 9f70bb1f9..e450ae5c1 100644
--- a/.github/workflows/coverity_scan.yml
+++ b/.github/workflows/coverity_scan.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone repository
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v2.4.0
 
       # https://scan.coverity.com/projects/osbuild-osbuild-composer
       - name: Run coverity scan script
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 505f848d9..7e44b66c2 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -23,7 +23,7 @@ jobs:
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v2.4.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -59,7 +59,7 @@ jobs:
     name: "🐚 Shellcheck"
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v2.4.0
       with:
         ref: ${{ github.event.pull_request.head.sha }}
     - name: Run ShellCheck
@@ -77,7 +77,7 @@ jobs:
       - name: Install dependencies
         run: sudo dnf install -y rpmlint rpm-build make git-core
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v2.4.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
diff --git a/.github/workflows/trigger-gitlab.yml b/.github/workflows/trigger-gitlab.yml
index 00ec57f71..2bc3924e5 100644
--- a/.github/workflows/trigger-gitlab.yml
+++ b/.github/workflows/trigger-gitlab.yml
@@ -42,7 +42,7 @@ jobs:
       SCHUTZBOT_SSH_KEY: ${{ secrets.SCHUTZBOT_SSH_KEY }}
     steps:
       - name: Clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v2.4.0
         with:
           # otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
           ref: ${{ github.event.pull_request.head.sha }}