diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 69619cac..35561e5b 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -47,7 +47,7 @@ jobs:
         # the token in that case, so the upload would fail. The SARIF is still
         # available as a workflow artifact (uploaded below) for reviewers.
         if: github.event.pull_request.head.repo.fork != true
-        uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3.35.2
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           sarif_file: govulncheck.sarif
           category: govulncheck