diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c5da4ee9..bb953dbc 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -55,7 +55,10 @@ jobs:
       actions: read # Needed for detection of GitHub Actions environment.
       id-token: write # Needed for provenance signing and ID
       contents: write # Needed for release uploads
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@68bad40844440577b33778c9f29077a3388838e9 # v1.4.0
+    # slsa-framework/slsa-github-generator doesn't support pinning version
+    # > Invalid ref: 68bad40844440577b33778c9f29077a3388838e9. Expected ref of the form refs/tags/vX.Y.Z
+    # https://github.com/slsa-framework/slsa-github-generator/issues/722
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       # Upload provenance to a new release
diff --git a/renovate.json5 b/renovate.json5
index 364023cb..9706e90a 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -8,4 +8,18 @@
   prHourlyLimit: 0,
   prConcurrentLimit: 0,
   branchConcurrentLimit: 0,
+  packageRules: [
+    {
+      matchUpdateTypes: ["digest"],
+      enabled: false,
+    },
+    {
+      // slsa-framework/slsa-github-generator doesn't support pinning version
+      // > Invalid ref: 68bad40844440577b33778c9f29077a3388838e9. Expected ref of the form refs/tags/vX.Y.Z
+      // https://github.com/slsa-framework/slsa-github-generator/issues/722
+      matchDepTypes: ["action"],
+      matchPackageNames: ["slsa-framework/slsa-github-generator"],
+      pinDigests: false,
+    },
+  ],
 }