diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 49dc904d0..a3f2b9f9d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -285,7 +285,7 @@ jobs:
         uses: codecov/codecov-action@v3.1.4
 
       - name: SonarCloud Scan
-        uses: sonarsource/sonarcloud-github-action@v1.9
+        uses: sonarsource/sonarcloud-github-action@v2.1.1
         # thought about just skipping dependabot
         # if: ${{ github.actor != 'dependabot[bot]' }}
         # but figured all pull requests seems better, since none of them will have access to sonarcloud.
@@ -341,7 +341,7 @@ jobs:
         # if: ${{ github.event_name != 'pull_request' }}
         # so just skip everything but main
         if: github.ref_name == 'main'
-        uses: sonarsource/sonarcloud-github-action@master
+        uses: sonarsource/sonarcloud-github-action@v2.1.1
         with:
           projectBaseDir: spiffworkflow-frontend
         env: