diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 68fd01a..80f7422 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -73,7 +73,7 @@ jobs:
       - name: Upload the SBOM artifact
         # TODO(supply-chain): pin to a commit SHA like the other actions here before this gate is
         # made blocking (kept on the @v4 tag for now to avoid a guessed SHA).
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: sbom-cyclonedx
           path: sbom.cdx.json