diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0578d588..69205e78 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -80,7 +80,7 @@ jobs:
         upload-release-assets: ${{ runner.os == 'Windows' }}
 
     - name: Attest artifacts
-      uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
+      uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1
       if: |
         runner.os == 'Windows' &&
         github.event.repository.fork == false &&
diff --git a/.github/workflows/dependabot-approve.yml b/.github/workflows/dependabot-approve.yml
index 7b75c1cc..eae24d76 100644
--- a/.github/workflows/dependabot-approve.yml
+++ b/.github/workflows/dependabot-approve.yml
@@ -30,6 +30,7 @@ jobs:
       - name: Approve pull request and enable auto-merge
         shell: bash
         if: |
+          contains(steps.dependabot-metadata.outputs.dependency-names, 'actions/attest-build-provenance') ||
           contains(steps.dependabot-metadata.outputs.dependency-names, 'actions/cache') ||
           contains(steps.dependabot-metadata.outputs.dependency-names, 'actions/checkout') ||
           contains(steps.dependabot-metadata.outputs.dependency-names, 'actions/dependency-review-action') ||