diff --git a/.github/workflows/image-build-push.yaml b/.github/workflows/image-build-push.yaml
index de83604..76ef3cd 100644
--- a/.github/workflows/image-build-push.yaml
+++ b/.github/workflows/image-build-push.yaml
@@ -15,6 +15,9 @@ permissions:
   # This is used to complete the identity challenge with sigstore/fulcio.
   id-token: write
 
+  # This is used to attest build provenance
+  attestations: write
+
 jobs:
   build-push:
-    uses: darbiadev/.github/.github/workflows/docker-build-push.yaml@29197a38ef3741064f47b623ede0c1ad22402c57 # v13.0.3
+    uses: darbiadev/.github/.github/workflows/docker-build-push.yaml@12e07d61ed37c908baa73f8d5550281b3ed9cddd # v13.1.2
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
index e32e05f..105c789 100644
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout repository"
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: "Setup PDM"
         uses: pdm-project/setup-pdm@568ddd69406b30de1774ec0044b73ae06e716aa4 # v4