diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index a41ab468..b199d89a 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -31,7 +31,7 @@ jobs:
     steps:
       # we want the head of the branch that triggered this, not the reference of the commit, this is so we get updated go versions etc.
       - name: Check out [${{ inputs.branch || github.ref }}]
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
           ref: ${{ inputs.branch || github.ref }}
       - name: Update Go env version
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fb8b9122..090a6e9c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Checkout with full history for to allow compare with base branch
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
         with:
           fetch-depth: 0
       - uses: actions/setup-python@v6
@@ -52,7 +52,7 @@ jobs:
     - uses: actions/setup-python@v6
     - name: Install tools
       run: pip install detect-secrets[gibberish]==1.5.0 && pip list
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
       with:
         fetch-depth: 0
     # FIXME: GitLeaks requires a licence now
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index d7f1ecc8..123ad03a 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -21,7 +21,7 @@ jobs:
     needs: update-client
     steps:
       # Checkout with full history for to allow compare with base branch
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
         with:
           fetch-depth: 0
       - uses: actions/setup-python@v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6301343..60000ada 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
     outputs:
       changes: ${{ steps.check.outputs.changes }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
       - name: Check if changes directory contains files
         id: check
         run: |
@@ -33,7 +33,7 @@ jobs:
     needs: [ check-for-changes ]
     if: needs.check-for-changes.outputs.changes
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
         with:
           # Get the full history as this is required by goreleaser
           fetch-depth: 0
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index caf85e6b..9c8f70cb 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v4.1.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/update-client.yml b/.github/workflows/update-client.yml
index 35b08a0d..2b4a0ec5 100644
--- a/.github/workflows/update-client.yml
+++ b/.github/workflows/update-client.yml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout API-Uniform-Contract repo
-      uses: actions/checkout@v6
+      uses: actions/checkout@v6.0.1
       with:
         token: ${{ secrets.GIT_SECRET }}
         repository: Arm-Debug/API-Uniform-Contract
@@ -44,13 +44,13 @@ jobs:
     runs-on: ubuntu-latest
     needs: update-client
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
       with:
         # So that we have correct GIT_TOKEN to push back to branch as we need workflow permissions
         token: ${{ secrets.GIT_SECRET }}
         ref: ${{ inputs.branch || github.head_ref || github.ref }}
     - name: Checkout Update Go action
-      uses: actions/checkout@v6
+      uses: actions/checkout@v6.0.1
       with:
         repository: Arm-Debug/update-go-action
         ref: refs/tags/latest
@@ -75,7 +75,7 @@ jobs:
     - name: Install continuous-delivery-scripts
       run: |
         pip install continuous-delivery-scripts
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
       with:
         ref: ${{ inputs.branch || github.head_ref || github.ref }}
     - name: Download all-service-flat artefact
@@ -155,7 +155,7 @@ jobs:
     needs:
       - build-and-test
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Trigger release
       if: contains(${{ inputs.branch || github.head_ref || github.ref }} , 'main')
       run: gh workflow run release.yml -f release_type=release
diff --git a/changes/20251224090607.bugfix b/changes/20251224090607.bugfix
new file mode 100644
index 00000000..926f1a78
--- /dev/null
+++ b/changes/20251224090607.bugfix
@@ -0,0 +1 @@
+Dependency upgrade: checkout-6.0.1