diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index 2fa9569f3fb6..04c70a767ce0 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -189,6 +189,8 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Download packages
         uses: actions/download-artifact@v4
@@ -200,5 +202,10 @@ jobs:
       - name: Print out packages
         run: ls dist
 
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d  # v1.1.2
+        with:
+          subject-path: dist/matplotlib-*
+
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450  # v1.8.14
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2dc1ca5352c0..14817e95929f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -79,7 +79,7 @@ repos:
       - id: yamllint
         args: ["--strict", "--config-file=.yamllint.yml"]
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.1
+    rev: 0.28.4
     hooks:
       # TODO: Re-enable this when https://github.com/microsoft/azure-pipelines-vscode/issues/567 is fixed.
       # - id: check-azure-pipelines