diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 61e1b78..4ce993f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -716,17 +716,17 @@ jobs:
 
       # ── Artifact attestations (SLSA provenance) ──────────────
       - name: Attest build provenance (tar.gz)
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: '*.tar.gz'
 
       - name: Attest build provenance (zip)
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: '*.zip'
 
       - name: Attest build provenance (checksums)
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: 'checksums.txt'