diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index b7c1ecdc..40654c2d 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -188,7 +188,7 @@ jobs:
         brew install binutils ccache coreutils google-benchmark googletest ninja sdl2
 
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 2
@@ -220,7 +220,7 @@ jobs:
 
     - name: Checkout the LLVM source
       if: matrix.name == 'msan' && env.WILL_BUILD == 'true'
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: false
         repository: llvm/llvm-project
diff --git a/.github/workflows/build_test_bazel.yml b/.github/workflows/build_test_bazel.yml
index e26f473e..98859c3d 100644
--- a/.github/workflows/build_test_bazel.yml
+++ b/.github/workflows/build_test_bazel.yml
@@ -37,7 +37,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout the source
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
           fetch-depth: 1
diff --git a/.github/workflows/build_test_cross.yml b/.github/workflows/build_test_cross.yml
index b6214fe5..7d284381 100644
--- a/.github/workflows/build_test_cross.yml
+++ b/.github/workflows/build_test_cross.yml
@@ -82,7 +82,7 @@ jobs:
         apt-get install -y ca-certificates debian-ports-archive-keyring git python3
 
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 1
diff --git a/.github/workflows/build_test_msys2.yml b/.github/workflows/build_test_msys2.yml
index eed7caa6..7a1941bd 100644
--- a/.github/workflows/build_test_msys2.yml
+++ b/.github/workflows/build_test_msys2.yml
@@ -52,7 +52,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout the source
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
           fetch-depth: 1
diff --git a/.github/workflows/build_test_wasm.yml b/.github/workflows/build_test_wasm.yml
index 1adc1d30..ee96be54 100644
--- a/.github/workflows/build_test_wasm.yml
+++ b/.github/workflows/build_test_wasm.yml
@@ -46,7 +46,7 @@ jobs:
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 1
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5491681e..40912197 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -56,7 +56,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
@@ -98,7 +98,7 @@ jobs:
           echo "CC=${{ matrix.cc || 'clang' }}" >> $GITHUB_ENV
           echo "CXX=${{ matrix.cxx || 'clang++' }}" >> $GITHUB_ENV
       - name: Checkout the source
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
           fetch-depth: 2
diff --git a/.github/workflows/debug_ci.yml b/.github/workflows/debug_ci.yml
index a05ead29..b889c530 100644
--- a/.github/workflows/debug_ci.yml
+++ b/.github/workflows/debug_ci.yml
@@ -124,7 +124,7 @@ jobs:
         echo "CC=${{ matrix.c_compiler || 'clang-11' }}" >> $GITHUB_ENV
         echo "CXX=${{ matrix.cxx_compiler || 'clang++-11' }}" >> $GITHUB_ENV
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 1
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 57c7be29..36b51439 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -32,6 +32,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 24dc7b7f..2ac33a58 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -40,7 +40,7 @@ jobs:
         egress-policy: audit
 
     - name: Checkout source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       id: checkout
       with:
         # The build_fuzzers action checks out the code to the storage/libjxl
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index b17f4704..416905c6 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -30,7 +30,7 @@ jobs:
         egress-policy: audit
 
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
     - name: Check AUTHORS file
       # This is an optional check
       continue-on-error: True
@@ -56,7 +56,7 @@ jobs:
           clang-format-15 \
         #
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
     - name: Install buildifier
       run: |
         eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index b6944e0a..45d7ce7c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -72,7 +72,7 @@ jobs:
         echo "CXX=clang++" >> $GITHUB_ENV
 
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 1
@@ -163,7 +163,7 @@ jobs:
         git config --global --add safe.directory /__w/jpegli/jpegli
 
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 1
@@ -272,7 +272,7 @@ jobs:
         egress-policy: audit
 
     - name: Checkout the source
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       with:
         submodules: true
         fetch-depth: 2