diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e23c5b27..7874c5d4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,10 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to create-pull-request@v7.0.9+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -15,3 +19,7 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to create-pull-request@v7.0.9+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml
index 0f342154..3d03461b 100644
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -35,7 +35,12 @@ jobs:
             echo "email=$id+$name@users.noreply.github.com"
           } >> "$GITHUB_OUTPUT"
       - name: Checkout repository
-        uses: actions/checkout@v6
+        # NOTE: v6 is incompatible with update-flake-lock@v27 due to credential
+        # storage changes. update-flake-lock uses peter-evans/create-pull-request@v6.0.5
+        # which doesn't work with v6's $RUNNER_TEMP credential storage.
+        # Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
+        # See: https://github.com/peter-evans/create-pull-request/issues/690
+        uses: actions/checkout@v5
         with:
           ref: ${{ matrix.branch }}
           token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}