diff --git a/.github/workflows/build-attestation.yml b/.github/workflows/build-attestation.yml
index 3273528..7af591a 100644
--- a/.github/workflows/build-attestation.yml
+++ b/.github/workflows/build-attestation.yml
@@ -43,7 +43,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: devsec-vault-build
           path: dist/
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index ad49ec7..b55533b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -70,7 +70,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload scan artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: scan-reports
@@ -128,7 +128,7 @@ jobs:
           "
 
       - name: Upload Bandit report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: bandit-report
@@ -210,7 +210,7 @@ jobs:
           "
 
       - name: Upload pip-audit report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: dependency-audit