diff --git a/.github/workflows/reusable-copy-to-s3.yml b/.github/workflows/reusable-copy-to-s3.yml
index 7720eb8..35a0628 100644
--- a/.github/workflows/reusable-copy-to-s3.yml
+++ b/.github/workflows/reusable-copy-to-s3.yml
@@ -97,7 +97,7 @@ jobs:
           if [ "$ERRORS" = true ]; then
             exit 1
           fi
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         if: ${{ inputs.direction == 'to' }}
         with:
           name: ${{ inputs.artifact-name }}
diff --git a/.github/workflows/reusable-docker-build.yml b/.github/workflows/reusable-docker-build.yml
index 835ebaf..39d462c 100644
--- a/.github/workflows/reusable-docker-build.yml
+++ b/.github/workflows/reusable-docker-build.yml
@@ -296,7 +296,7 @@ jobs:
           registryGhcrPasswordOverride: ${{ secrets.GH_CI_USER_TOKEN }}
         run: |
           echo "${{ env.registryGhcrPasswordOverride }}" | crane auth login ghcr.io -u ${{ env.registryGhcrUsernameOverride }} --password-stdin
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         if: ${{ inputs.artifact-name != '' && inputs.artifact-path != '' }}
         with:
           name: ${{ inputs.artifact-name }}