diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index cd0dd6d..73e5d48 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -11,6 +11,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      artifact-metadata: write
       actions: read
     timeout-minutes: 10
     steps:
@@ -40,7 +41,7 @@ jobs:
       run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
     - name: Upload App to Artifacts
       id: upload
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: Secretive
         path: Artifact
@@ -59,7 +60,7 @@ jobs:
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
-      uses: actions/attest-build-provenance@v2
+      uses: uses: actions/attest@v4
       with:
         subject-name: "Secretive.zip"
         subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
diff --git a/.github/workflows/oneoff.yml b/.github/workflows/oneoff.yml
index f394e60..9b1dbcf 100644
--- a/.github/workflows/oneoff.yml
+++ b/.github/workflows/oneoff.yml
@@ -10,6 +10,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      artifact-metadata: write
       actions: read
     timeout-minutes: 10
     steps:
@@ -39,7 +40,7 @@ jobs:
       run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
     - name: Upload App to Artifacts
       id: upload
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: Secretive
         path: Artifact
@@ -58,7 +59,7 @@ jobs:
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
-      uses: actions/attest-build-provenance@v2
+      uses: actions/attest@v4
       with:
         subject-name: "Secretive.zip"
         subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 29bbaef..a88efe6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,7 @@ jobs:
       id-token: write
       contents: write
       attestations: write
+      artifact-metadata: write
       actions: read
     runs-on: macos-26
     timeout-minutes: 10
@@ -63,7 +64,7 @@ jobs:
       run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact
     - name: Upload App to Artifacts
       id: upload
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: Secretive.zip
         path: Artifact
@@ -82,7 +83,7 @@ jobs:
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
     - name: Attest
       id: attest
-      uses: actions/attest-build-provenance@v2
+      uses: actions/attest@v4
       with:
         subject-path: "Secretive.zip"
     - name: Create Release