diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 472a58e..32839a2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,16 +12,19 @@ permissions: read-all
 jobs:
   test:
     permissions:
-      contents: write       # needed for the auto-release step (gh release create)
-      id-token: write       # needed for actions/attest-build-provenance (SLSA Level 3)
-      attestations: write   # needed for actions/attest-build-provenance
-      actions: read         # explicit; needed for run metadata in attestations
-    # windows-latest (GitHub-hosted) for both push and PR. RackStack is a public
+      contents: write          # needed for the auto-release step (gh release create)
+      id-token: write          # needed for actions/attest-* (SLSA L3 provenance + SBOM)
+      attestations: write      # needed for actions/attest-* (persist the attestation)
+      artifact-metadata: write # needed by actions/attest v4 (create the artifact storage record)
+      actions: read            # explicit; needed for run metadata in attestations
+    # windows-2025 (GitHub-hosted) for both push and PR. RackStack is a public
     # repo — running on a self-hosted runner means anyone can fork, open a PR,
-    # and execute arbitrary code on the runner host. windows-latest is free and
-    # unlimited for public repos, has PowerShell 7 + pwsh + Git pre-installed,
-    # and avoids the security exposure entirely.
-    runs-on: windows-latest
+    # and execute arbitrary code on the runner host. windows-2025 is free and
+    # unlimited for public repos, ships Windows PowerShell 5.1 + pwsh 7 + .NET
+    # Framework 4.8 + Git, and avoids the security exposure entirely. Pinned
+    # explicitly (rather than windows-latest) ahead of the 2026-06-15 image
+    # migration so the build runs against a deterministic, validated image.
+    runs-on: windows-2025
     # Prevents a hung test from tying up the runner — full suite normally runs in ~3 min
     timeout-minutes: 20
     defaults:
@@ -269,9 +272,14 @@ jobs:
           upload-artifact: true
           upload-release-assets: false
 
+      # actions/attest-sbom was deprecated; actions/attest exposes a native
+      # `sbom-path` input (SPDX/CycloneDX, auto-detected) that maps 1:1 from the
+      # old action and produces an identical SBOM attestation — verifiable via
+      # `gh attestation verify`. Do NOT add predicate-* here: sbom-path is
+      # mutually exclusive with them.
       - name: Attest SBOM
         if: steps.vercheck.outputs.bumped == 'true' && steps.releasecheck.outputs.exists == 'false' && hashFiles(format('builds/RackStack-{0}-sbom.cyclonedx.json', steps.vercheck.outputs.version)) != ''
-        uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-path: builds/RackStack.exe
           sbom-path: builds/RackStack-${{ steps.vercheck.outputs.version }}-sbom.cyclonedx.json
diff --git a/.github/workflows/powershell-scan.yml b/.github/workflows/powershell-scan.yml
index dca4d55..6c09f0c 100644
--- a/.github/workflows/powershell-scan.yml
+++ b/.github/workflows/powershell-scan.yml
@@ -24,9 +24,10 @@ jobs:
     permissions:
       issues: write   # the github-script step creates / updates "Scan Results:" issues
       contents: read  # checkout
-    # windows-latest (GitHub-hosted) — see ci.yml for the security rationale
-    # (public repo + self-hosted runner = arbitrary fork code execution).
-    runs-on: windows-latest
+    # windows-2025 (GitHub-hosted) — see ci.yml for the security rationale
+    # (public repo + self-hosted runner = arbitrary fork code execution) and
+    # for why we pin the image explicitly ahead of the 2026-06-15 migration.
+    runs-on: windows-2025
 
     steps:
       - name: Checkout repository
diff --git a/Changelog.md b/Changelog.md
index ae50407..38ac4cf 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## v1.119.1
+
+CI maintenance — clears the two non-blocking annotations the release workflow was emitting, ahead of GitHub's deadlines.
+
+- **`actions/attest-sbom` → `actions/attest`** — the SBOM-attestation action was deprecated. `actions/attest` exposes a native `sbom-path` input (SPDX/CycloneDX, auto-detected) that maps 1:1 from the old action and produces an **identical** SBOM attestation, still verifiable via `gh attestation verify`. The migration also adds the `artifact-metadata: write` job permission that `actions/attest` v4 now requires.
+- **`windows-latest` → `windows-2025`** — GitHub is redirecting `windows-latest` to the Windows Server 2025 image by 2026-06-15. Pinning `ci.yml` and `powershell-scan.yml` to `windows-2025` now makes the runtime explicit and validates the build against the target image early. `windows-2025` ships Windows PowerShell 5.1, .NET Framework 4.8, and PowerShell 7 — everything the build/test pipeline needs (it never invokes the Visual Studio toolchain, so the concurrent VS2026 image change does not affect it).
+
+CI-only changes; no functional change to the tool. Modules and CLI actions unchanged (81 modules, 201 actions).
+
 ## v1.119.0
 
 Remote Desktop Services — a new module (**80-RemoteDesktopServices**) surfaced under **Roles & Features → [15] Remote Desktop Services (RDS)**, plus a read-only CLI action.
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
index 65f7d96..d066c0d 100644
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -70,8 +70,8 @@ limit the impact if the maintainer becomes unavailable:
   `.\sync-to-monolithic.ps1` + `Invoke-PS2EXE`. The same source produces
   byte-identical output up to ps2exe's PE timestamp.
 - **CI is fully automated and GitHub-hosted.** No self-hosted
-  infrastructure is on the critical path; `windows-latest` runners are
-  free for public repos.
+  infrastructure is on the critical path; GitHub-hosted `windows-2025`
+  runners are free for public repos.
 
 ### Signing-key continuity
 - **Sigstore cosign keyless signing** uses GitHub Actions OIDC, not a
diff --git a/Header.ps1 b/Header.ps1
index 699378b..fc97f82 100644
--- a/Header.ps1
+++ b/Header.ps1
@@ -30,7 +30,7 @@
     7h3 4b1d3r
 
 .VERSION
-    1.119.0
+    1.119.1
 
 .LAST UPDATED
     05/23/2026
diff --git a/Modules/00-Initialization.ps1 b/Modules/00-Initialization.ps1
index aeed870..1556b45 100644
--- a/Modules/00-Initialization.ps1
+++ b/Modules/00-Initialization.ps1
@@ -225,7 +225,7 @@ if (-not $PSCommandPath -and $script:ScriptPath) {
 if (-not $script:ModuleRoot -and $script:ScriptPath) {
     $script:ModuleRoot = [System.IO.Path]::GetDirectoryName($script:ScriptPath)
 }
-$script:ScriptVersion = "1.119.0"
+$script:ScriptVersion = "1.119.1"
 $script:ScriptStartTime = Get-Date
 
 # Post-update cleanup: UpdateSelf / Rollback leave a `.pending-delete` sibling next to RackStack.exe.
diff --git a/RackStack.ps1 b/RackStack.ps1
index eb267d3..33c85e3 100644
--- a/RackStack.ps1
+++ b/RackStack.ps1
@@ -13,7 +13,7 @@
     Environment-specific settings are configured via defaults.json.
 
 .VERSION
-    1.119.0
+    1.119.1
 
 .NOTES
     - Requires Windows Server 2012 R2 or later (or Windows 10/11 for testing)
diff --git a/RackStack.psd1 b/RackStack.psd1
index 14fb39b..8251a14 100644
--- a/RackStack.psd1
+++ b/RackStack.psd1
@@ -1,6 +1,6 @@
 @{
     RootModule           = 'RackStack.psm1'
-    ModuleVersion        = '1.119.0'
+    ModuleVersion        = '1.119.1'
     GUID                 = 'c19b8e71-4a35-4f2b-9d06-8a24f7bc0e91'
     Author               = 'TheAbider'
     CompanyName          = 'TheAbider'