diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 662cdc0..6dfc96c 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -20,7 +20,7 @@ jobs:
         shell: bash
 
       - name: Checkout repository
-        uses: actions/checkout@master
+        uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
 
       - name: Build artifacts
         run: |
@@ -46,10 +46,10 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
-      upload-assets: true
+      upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
 
   release:
     needs: [build, provenance]
@@ -60,7 +60,7 @@ jobs:
         shell: bash
 
       - name: Download ${{ env.REPOSITORY_NAME }}.sha256
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
         with:
           name: ${{ env.REPOSITORY_NAME }}.sha256