diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cc0e6331d..c6357d408 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,6 +18,11 @@ jobs:
     env:
       SETUPTOOLS_SCM_PRETEND_VERSION: ${{ github.event.inputs.version }}
     timeout-minutes: 10
+    
+    # Required by attest-build-provenance-github.
+    permissions:
+      id-token: write
+      attestations: write
 
     steps:
     - uses: actions/checkout@v4
@@ -26,7 +31,9 @@ jobs:
         persist-credentials: false
 
     - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.4.0
+      uses: hynek/build-and-inspect-python-package@v2.5.0
+      with:
+        attest-build-provenance-github: 'true'
 
   deploy:
     if: github.repository == 'pytest-dev/pytest'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 443474067..b294c1b4a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,13 +29,19 @@ permissions: {}
 jobs:
   package:
     runs-on: ubuntu-latest
+    # Required by attest-build-provenance-github.
+    permissions:
+      id-token: write
+      attestations: write
     steps:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
         persist-credentials: false
     - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.4.0
+      uses: hynek/build-and-inspect-python-package@v2.5.0
+      with:
+        attest-build-provenance-github: 'true'
 
   build:
     needs: [package]