diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 017c9624..d2539d5b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,12 +81,12 @@ jobs:
       # split so RUSTSEC advisory failures surface as a distinct step.
       # vulnerabilities always error under [advisories] version = 2.
       - name: cargo-deny advisories (RUSTSEC)
-        uses: EmbarkStudios/cargo-deny-action@a531616d8ce3b9177443e48a1159bc945a099823 # v2.0.19
+        uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
         with:
           command: check advisories
           arguments: --all-features
       - name: cargo-deny bans + licenses + sources
-        uses: EmbarkStudios/cargo-deny-action@a531616d8ce3b9177443e48a1159bc945a099823 # v2.0.19
+        uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
         with:
           command: check bans licenses sources
           arguments: --all-features