diff --git a/.github/workflows/docs-sync.lock.yml b/.github/workflows/docs-sync.lock.yml
index 89bb8e03d..f120ebdef 100644
--- a/.github/workflows/docs-sync.lock.yml
+++ b/.github/workflows/docs-sync.lock.yml
@@ -449,6 +449,7 @@ jobs:
       - name: Restore APM packages (all bundles)
         uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2
         with:
+          apm-version: 0.12.4
           bundles-file: /tmp/gh-aw/apm-bundle-list.txt
 
       - name: Checkout PR branch
@@ -1089,6 +1090,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
         with:
+          apm-version: 0.12.4
           archive: "true"
           dependencies: ${{ steps.list.outputs.deps }}
           isolated: "true"
diff --git a/.github/workflows/pr-review-panel.lock.yml b/.github/workflows/pr-review-panel.lock.yml
index 943172723..26511e638 100644
--- a/.github/workflows/pr-review-panel.lock.yml
+++ b/.github/workflows/pr-review-panel.lock.yml
@@ -453,6 +453,7 @@ jobs:
       - name: Restore APM packages (all bundles)
         uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2
         with:
+          apm-version: 0.12.4
           bundles-file: /tmp/gh-aw/apm-bundle-list.txt
 
       - name: Configure Git credentials
@@ -1119,6 +1120,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
         with:
+          apm-version: 0.12.4
           archive: "true"
           dependencies: ${{ steps.list.outputs.deps }}
           isolated: "true"
diff --git a/.github/workflows/shared/apm.md b/.github/workflows/shared/apm.md
index 9e3a18256..c194c8f8a 100644
--- a/.github/workflows/shared/apm.md
+++ b/.github/workflows/shared/apm.md
@@ -66,6 +66,16 @@
 #          target: copilot
 #          packages:
 #            - microsoft/apm-sample-package
+#
+# 5. Pin a specific apm CLI version (overrides the action's built-in default):
+#
+#    imports:
+#      - uses: shared/apm.md
+#        with:
+#          apm-version: '0.20.0'
+#          target: copilot
+#          packages:
+#            - microsoft/apm-sample-package
 
 import-schema:
   packages:
@@ -158,6 +168,24 @@ import-schema:
       so any apm.yml in the consumer repo is intentionally ignored -- this
       input is the sole target signal.
 
+  # apm CLI version (overrides apm-action's pinned default)
+  apm-version:
+    type: string
+    required: false
+    # MAINTENANCE: this default MUST mirror the apm-version default shipped
+    # by the pinned microsoft/apm-action ref used in the Pack and Restore
+    # steps below. gh-aw substitutes this value at compile time when a
+    # consumer omits apm-version, so an empty string is never forwarded to
+    # apm-action (an empty apm-version floats the action to 'latest', the
+    # opposite of the pinned default). Bump this in lockstep with the action.
+    default: '0.12.4'
+    description: >
+      apm CLI version for apm-action to install, as a bare semver tag (e.g.
+      '0.12.4'); pass 'latest' to opt into floating to the newest release.
+      Omit to use apm-action's pinned default. Applied to both the Pack and
+      Restore apm-action steps so the CLI version cannot skew between packing
+      and restoring.
+
 jobs:
   apm-prep:
     runs-on: ubuntu-slim
@@ -370,6 +398,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
         with:
+          apm-version: ${{ github.aw.import-inputs.apm-version }}
           dependencies: ${{ steps.list.outputs.deps }}
           isolated: 'true'
           pack: 'true'
@@ -450,6 +479,7 @@ steps:
   - name: Restore APM packages (all bundles)
     uses: microsoft/apm-action@v1.7.2
     with:
+      apm-version: ${{ github.aw.import-inputs.apm-version }}
       bundles-file: /tmp/gh-aw/apm-bundle-list.txt
 ---
 
diff --git a/.github/workflows/triage-panel.lock.yml b/.github/workflows/triage-panel.lock.yml
index 44f074dc2..1b5ed147a 100644
--- a/.github/workflows/triage-panel.lock.yml
+++ b/.github/workflows/triage-panel.lock.yml
@@ -463,6 +463,7 @@ jobs:
       - name: Restore APM packages (all bundles)
         uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2
         with:
+          apm-version: 0.12.4
           bundles-file: /tmp/gh-aw/apm-bundle-list.txt
 
       - name: Configure Git credentials
@@ -1187,6 +1188,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
         with:
+          apm-version: 0.12.4
           archive: "true"
           dependencies: ${{ steps.list.outputs.deps }}
           isolated: "true"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1a517122c..3fac98c42 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- The shared gh-aw workflow `.github/workflows/shared/apm.md` exposes an optional `apm-version` import input that pins the apm CLI version for both the pack and restore `microsoft/apm-action` steps (so the two cannot skew), surviving `gh aw update` without hand-editing the vendored file. Omitting it falls through to the action's pinned default via a gh-aw schema default, so non-opting consumers stay reproducible instead of floating to `latest`. (#1842)
 - Org-wide policy discovery now cascades through candidate repo names
   (`.github`, then `.apm`, then `_apm`) and speaks the Azure DevOps Items
   API, so Azure DevOps organizations -- which forbid repo names that begin
diff --git a/docs/src/content/docs/integrations/gh-aw.md b/docs/src/content/docs/integrations/gh-aw.md
index 2488c19d6..76ee1d66c 100644
--- a/docs/src/content/docs/integrations/gh-aw.md
+++ b/docs/src/content/docs/integrations/gh-aw.md
@@ -63,6 +63,21 @@ The APM compilation target is automatically inferred from the configured `engine
 
 Packages are fetched using gh-aw's cascading token fallback: `GH_AW_PLUGINS_TOKEN` -> `GH_AW_GITHUB_TOKEN` -> `GITHUB_TOKEN`.
 
+**Pinning the apm CLI version (optional):**
+
+By default the import installs the apm CLI version that the pinned `microsoft/apm-action` ships. To install a specific version instead -- for example to opt into a newer CLI for a packaging fix -- set the optional `apm-version` input. It is threaded into both the pack and restore steps so the version cannot skew between them, and it survives `gh aw update` (no need to hand-edit the vendored `shared/apm.md`):
+
+```yaml
+imports:
+  - uses: shared/apm.md
+    with:
+      apm-version: '0.20.0'
+      packages:
+        - microsoft/apm-sample-package
+```
+
+Use a bare semver tag (e.g. `'0.20.0'`). Pass `'latest'` to opt into floating to the newest release; omit the input entirely to keep the action's pinned default.
+
 :::note[Isolated install by default]
 `shared/apm.md` invokes `microsoft/apm-action` with `isolated: true`. Only the packages listed under `packages:` are installed -- any host-repo primitives under `.apm/` or `.github/` (instructions, prompts, skills, agents) are ignored and pre-existing primitive directories are cleared. To merge host-repo primitives with imported ones, use the [apm-action Pre-Step](#apm-action-pre-step) approach below, which leaves `isolated` at its default of `false`.
 :::