diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
deleted file mode 100644
index 9b35bb2..0000000
--- a/.github/workflows/manual-publish.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-name: Publish Package
-on:
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: 'Is this a dry run? If so no package will be published.'
-        type: boolean
-        required: true
-
-jobs:
-  build-publish:
-    runs-on: ubuntu-latest
-    # Needed to get tokens during publishing.
-    permissions:
-      id-token: write
-      contents: read
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes}}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: 3.9
-
-      - name: Install poetry
-        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
-
-      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
-        name: 'Get PyPI token'
-        with:
-          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
-          ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
-
-      - uses: ./.github/actions/build
-        id: build
-
-      - name: Publish package distributions to PyPI
-        if: ${{ inputs.dry_run == false }}
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{env.PYPI_AUTH_TOKEN}}
-
-  release-provenance:
-    needs: [ 'build-publish' ]
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
-      upload-assets: ${{ !inputs.dry_run }}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 751cdfc..051f969 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -83,7 +83,7 @@ jobs:
           ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           password: ${{ env.PYPI_AUTH_TOKEN }}
           packages-dir: packages/sdk/server-ai/dist/
@@ -124,11 +124,7 @@ jobs:
           ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
       - name: Publish to PyPI
-        # Pin the action to a full 40-character commit SHA for security.
-        # Release v1 commit SHA as of 2024-06-14:
-        # https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13
-        # Commit SHA: 19af04270e8d898ea07a523bb392fa7fe98df87c
-        uses: pypa/gh-action-pypi-publish@19af04270e8d898ea07a523bb392fa7fe98df87c
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           password: ${{ env.PYPI_AUTH_TOKEN }}
           packages-dir: packages/ai-providers/server-ai-langchain/dist/
@@ -167,8 +163,7 @@ jobs:
 
       - name: Publish to PyPI
         if: ${{ inputs.dry_run != true }}
-        # https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.13 - pinned to commit on 2024-04-13
-        uses: pypa/gh-action-pypi-publish@3cc2c35166dfc1e5ea3bb0491ffdeedcaa50d7c
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           password: ${{ env.PYPI_AUTH_TOKEN }}
           packages-dir: ${{ inputs.workspace_path }}/dist/