diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index 84de183..8e821ea 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -21,7 +21,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        # Repinned from 34e114876b… (unique to this workflow, job fast-failed
+        # ~12s at this first step) to the SHA used by every other passing
+        # workflow in the repo. The setup-beam pins were a red herring.
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
           fetch-depth: 0
 
@@ -34,6 +37,7 @@ jobs:
           # the dogfooding job red estate-wide regardless of PR content.
           # Major/minor (loose) so patch availability cannot re-break it.
           # Bump deliberately to whatever Hypatia's scanner actually requires.
+          # (no-op touch to trigger a verification run of these pins)
           elixir-version: '1.18'
           otp-version: '27'