diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 87cb6a2..4adba47 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,7 +12,7 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       # Belt-and-suspenders: when triggered by a tag push, refuse to publish
       # if the tag (e.g. v0.3.0) doesn't match the committed VERSION file.
@@ -31,7 +31,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org
@@ -54,7 +54,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
@@ -71,7 +71,7 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # Third-party actions pinned to commit SHA (supply-chain hardening); the
       # release pipeline has packages:write, so a hijacked tag could poison
       # published images. Tag comments are the resolved version.