diff --git a/scripts/install-actionlint.sh b/scripts/install-actionlint.sh
index 2580929..b8cb3a9 100755
--- a/scripts/install-actionlint.sh
+++ b/scripts/install-actionlint.sh
@@ -21,10 +21,8 @@
 # checksums page is temporarily unreachable. CI should treat `SKIP` as a
 # pre-commit failure (audit hygiene).
 #
-# [UNVERIFIED IN THIS SESSION] — the four SHA256_* values below were
-# inserted by this patch without live WebFetch. They are marked SKIP so
-# the installer does not enforce them; the env override
-# `ACTIONLINT_SHA256_OVERRIDE` can inject the real hash at CI time.
+# [VERIFIED 2026-04-22 via curl https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt]
+# The four SHA256_* values below are pinned to upstream checksums.txt rows.
 
 set -eu
 
@@ -33,11 +31,11 @@ INSTALL_DIR="${HOME}/.local/bin"
 BIN="${INSTALL_DIR}/actionlint"
 
 # Per (OS, ARCH) SHA-256 hashes. See comment block above.
-# Marked SKIP pending a live upstream fetch.
-SHA256_DARWIN_AMD64="SKIP"
-SHA256_DARWIN_ARM64="SKIP"
-SHA256_LINUX_AMD64="SKIP"
-SHA256_LINUX_ARM64="SKIP"
+# [VERIFIED: https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt]
+SHA256_DARWIN_AMD64="5b44c3bc2255115c9b69e30efc0fecdf498fdb63c5d58e17084fd5f16324c644"
+SHA256_DARWIN_ARM64="aba9ced2dee8d27fecca3dc7feb1a7f9a52caefa1eb46f3271ea66b6e0e6953f"
+SHA256_LINUX_AMD64="8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8"
+SHA256_LINUX_ARM64="325e971b6ba9bfa504672e29be93c24981eeb1c07576d730e9f7c8805afff0c6"
 
 if command -v actionlint >/dev/null 2>&1; then
   printf 'actionlint already on PATH: %s\n' "$(command -v actionlint)"