diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml
index 4715bae081..ff52e0a38b 100644
--- a/.github/workflows/package-release.yml
+++ b/.github/workflows/package-release.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       # use this for main repo master builds
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
         with:
           path: ${{ env.OSCAL_HOME }}
           submodules: recursive
diff --git a/.github/workflows/workflow-generate-metaschema-resources.yml b/.github/workflows/workflow-generate-metaschema-resources.yml
index d903cbe939..51056da7e9 100644
--- a/.github/workflows/workflow-generate-metaschema-resources.yml
+++ b/.github/workflows/workflow-generate-metaschema-resources.yml
@@ -36,7 +36,7 @@ jobs:
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Latest (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.CHECKOUT_PATH }}
         token: ${{ secrets.COMMIT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Latest (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.CHECKOUT_PATH }}
         token: ${{ secrets.access_token }}
@@ -54,7 +54,7 @@ jobs:
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Latest
       if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped'
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.CHECKOUT_PATH }}
         submodules: recursive
diff --git a/.github/workflows/workflow-generate-website-reference.yml b/.github/workflows/workflow-generate-website-reference.yml
index 4914afd8a0..a64c6fc5be 100644
--- a/.github/workflows/workflow-generate-website-reference.yml
+++ b/.github/workflows/workflow-generate-website-reference.yml
@@ -41,7 +41,7 @@ jobs:
     # 2) The target branch where the metaschemas exist that are the basis of reference information.
     # Checkout the current branch for reading
     - name: Checkout Latest
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.BRANCH_PATH }}
         submodules: recursive
@@ -49,7 +49,7 @@ jobs:
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Main (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.MAIN_PATH }}
         ref: ${{ env.MAIN_BRANCH_REF }}
@@ -59,7 +59,7 @@ jobs:
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Main (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.MAIN_PATH }}
         ref: ${{ env.MAIN_BRANCH_REF }}
@@ -69,7 +69,7 @@ jobs:
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Main
       if: steps.checkout_main_workflow.conclusion == 'skipped' && steps.checkout_main_push.conclusion == 'skipped'
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         path: ${{ env.MAIN_PATH }}
         ref: ${{ env.MAIN_BRANCH_REF }}
diff --git a/.github/workflows/workflow-generate-website.yml b/.github/workflows/workflow-generate-website.yml
index e2a34f2e96..1b6208ff96 100644
--- a/.github/workflows/workflow-generate-website.yml
+++ b/.github/workflows/workflow-generate-website.yml
@@ -49,7 +49,7 @@ jobs:
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Latest (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         token: ${{ secrets.COMMIT_TOKEN }}
         submodules: recursive
@@ -57,7 +57,7 @@ jobs:
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Latest (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         token: ${{ secrets.access_token }}
         submodules: recursive
@@ -65,7 +65,7 @@ jobs:
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Latest
       if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped'
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: recursive
     - name: Set env
diff --git a/.github/workflows/workflow-validate-repo-markdown.yml b/.github/workflows/workflow-validate-repo-markdown.yml
index 16ea382270..4d92ad0a98 100644
--- a/.github/workflows/workflow-validate-repo-markdown.yml
+++ b/.github/workflows/workflow-validate-repo-markdown.yml
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     # use this for pulls where checkout is anonymous
-    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: recursive
     # Setup runtime environment
diff --git a/.github/workflows/workflow-validate-website-content.yml b/.github/workflows/workflow-validate-website-content.yml
index 158577c08d..0809ab3fd5 100644
--- a/.github/workflows/workflow-validate-website-content.yml
+++ b/.github/workflows/workflow-validate-website-content.yml
@@ -23,11 +23,11 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout Latest
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         fetch-depth: 0 # this ensures that the tag and commit history are available
     - name: Checkout git ref of published website content
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         ref: ${{ inputs.site_git_ref }}
         path: ${{ inputs.site_git_ref_path }}