diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index d93c4ff..4365141 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -155,7 +155,7 @@ jobs:
 
       - name: Upload provenance verification results
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
         with:
           name: provenance-${{ steps.meta.outputs.server_name }}
           path: provenance-${{ steps.meta.outputs.server_name }}.txt
@@ -250,7 +250,7 @@ jobs:
 
       - name: Upload scan results
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
         with:
           name: mcp-scan-${{ steps.meta.outputs.server_name }}
           path: |
@@ -393,7 +393,7 @@ jobs:
       - name: Download MCP security scan results
         id: download-scan
         if: github.event_name != 'pull_request'
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
         with:
           name: mcp-scan-${{ steps.meta.outputs.server_name }}
           path: /tmp/scan-results
@@ -478,7 +478,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Download all scan results
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
         with:
           pattern: mcp-scan-*
           path: scan-artifacts