diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml
index 1be46b59..6183b07b 100644
--- a/.github/workflows/generic_build.yml
+++ b/.github/workflows/generic_build.yml
@@ -83,7 +83,7 @@ jobs:
 
       # NOTE: AMD64 can build within 2 minutes
       - name: 'Build images'
-        uses: docker/build-push-action@v3.3.0
+        uses: docker/build-push-action@v4.0.0
         with:
           context: .
           # Build at least the AMD64 image (which runs against the test suite).
@@ -96,6 +96,8 @@ jobs:
           # This job just builds the image and stores to cache, no other exporting required:
           # https://github.com/docker/build-push-action/issues/546#issuecomment-1122631106
           outputs: type=cacheonly
+          # Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/
+          provenance: false
 
       # WORKAROUND: The `cache-to: type=local` input for `build-push-action` persists old-unused cache.
       # The workaround is to write the new build cache to a different location that replaces the
diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml
index 33b23f53..310a8406 100644
--- a/.github/workflows/generic_publish.yml
+++ b/.github/workflows/generic_publish.yml
@@ -72,7 +72,7 @@ jobs:
         run: echo "version=$(<VERSION)" >>"${GITHUB_OUTPUT}"
 
       - name: 'Build and publish images'
-        uses: docker/build-push-action@v3.3.0
+        uses: docker/build-push-action@v4.0.0
         with:
           context: .
           build-args: |
@@ -82,3 +82,5 @@ jobs:
           push: true
           tags: ${{ steps.prep.outputs.tags }}
           cache-from: type=local,src=/tmp/.buildx-cache
+          # Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/
+          provenance: false
diff --git a/.github/workflows/generic_test.yml b/.github/workflows/generic_test.yml
index 0dbea378..fcedb9fc 100644
--- a/.github/workflows/generic_test.yml
+++ b/.github/workflows/generic_test.yml
@@ -38,7 +38,7 @@ jobs:
       # Earlier `buildx` + `qemu` steps are not needed as no cache is exported,
       # and only a single platform (AMD64) is loaded:
       - name: 'Build AMD64 image from cache'
-        uses: docker/build-push-action@v3.3.0
+        uses: docker/build-push-action@v4.0.0
         with:
           context: .
           tags: mailserver-testing:ci
@@ -47,6 +47,8 @@ jobs:
           # Rebuilds the AMD64 image from the cache:
           platforms: linux/amd64
           cache-from: type=local,src=/tmp/.buildx-cache
+          # Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/
+          provenance: false
 
       - name: 'Run tests'
         run: make generate-accounts tests/${{ matrix.part }}