diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml
index e2dc111..9dad671 100644
--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@@ -19,7 +19,10 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    # Note this update workflow can also be used as a rollback tool.
+    # For that reason, it's best to pin `actions/checkout` to a known, stable version
+    # (typically, about two releases back).
+    - uses: actions/checkout@v4.1.1
       with:
         fetch-depth: 0
     - name: Git config