diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 4d3c001743..a4e149be4d 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -79,7 +79,7 @@ jobs:
 
       # Build locally first, scan, then push only if scans pass
       - name: Build image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           file: docker/backend/Dockerfile
@@ -117,7 +117,7 @@ jobs:
       # to SBOM + provenance attestation layers added only on push.
       - name: Push image
         id: push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           file: docker/backend/Dockerfile
@@ -178,7 +178,7 @@ jobs:
 
       # Build locally first, scan, then push only if scans pass
       - name: Build image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           file: docker/web/Dockerfile
@@ -215,7 +215,7 @@ jobs:
       # but manifest digest differs due to SBOM + provenance attestation layers.
       - name: Push image
         id: push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           file: docker/web/Dockerfile