diff --git a/.github/scripts/cherry-pick-to-release.sh b/.github/scripts/cherry-pick-to-release.sh
index 8b3172cc50..a8612e7453 100755
--- a/.github/scripts/cherry-pick-to-release.sh
+++ b/.github/scripts/cherry-pick-to-release.sh
@@ -143,7 +143,7 @@ lookup_milestone() {
   MILESTONE_ARG=""
   MILESTONE_NOTE=""
 
-  if gh api "repos/${GITHUB_REPOSITORY}/milestones" --paginate \
+  if gh api "repos/${GITHUB_REPOSITORY}/milestones" --method GET --paginate \
       --field state=open --jq '.[].title' | grep -qx "${version}"; then
     MILESTONE_ARG="--milestone ${version}"
     echo "Milestone '${version}' found."
diff --git a/.github/scripts/tests/cherry-pick-to-release.bats b/.github/scripts/tests/cherry-pick-to-release.bats
index b8d40a3b3e..68ef3d7f8c 100644
--- a/.github/scripts/tests/cherry-pick-to-release.bats
+++ b/.github/scripts/tests/cherry-pick-to-release.bats
@@ -138,6 +138,8 @@ STUB
   [ "$status" -eq 0 ]
   # Verify the git fetch targeted release/7.0.
   grep -q "GIT: fetch origin release/7.0" "${STUB_DIR}/git.log"
+  # Milestone lookup must use GET to avoid accidentally POSTing to the create endpoint.
+  grep "GH: api repos/dotnet/SqlClient/milestones" "${STUB_DIR}/gh.log" | grep -q "\-\-method GET"
 }
 
 @test "derives release/8.0 from version 8.0.0" {
@@ -259,6 +261,8 @@ STUB
   run bash "${SCRIPT}"
   [ "$status" -eq 0 ]
   [[ "$output" == *"does not exist"* ]]
+  # Milestone lookup must use GET to avoid accidentally POSTing to the create endpoint.
+  grep "GH: api repos/dotnet/SqlClient/milestones" "${STUB_DIR}/gh.log" | grep -q "\-\-method GET"
 }
 
 # ── Conflict handling ───────────────────────────────────────────────────────
diff --git a/.github/workflows/cherry-pick-hotfix.yml b/.github/workflows/cherry-pick-hotfix.yml
index 9110a58fa2..794d8e41d3 100644
--- a/.github/workflows/cherry-pick-hotfix.yml
+++ b/.github/workflows/cherry-pick-hotfix.yml
@@ -57,7 +57,7 @@ jobs:
       versions: ${{ steps.extract.outputs.versions }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           # Only the scripts directory is needed; skip full history.
           sparse-checkout: .github/scripts
@@ -91,7 +91,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           # Full history is required so the merge commit and target branch are available
           # for the cherry-pick operation.