diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml
index f31c8793b0..4c6540d424 100644
--- a/.github/actions/generate-builder/action.yml
+++ b/.github/actions/generate-builder/action.yml
@@ -2,8 +2,11 @@ name: "Generate the builder"
 description: "Build or fetch the builder binary"
 inputs:
   ref:
-    description: "A fully formed ref (refs/...) or SHA to checkout."
+    description: "A fully formed ref (refs/...) or SHA to checkout for the action code."
     required: true
+  builder-ref:
+    description: "A fully formed ref (refs/...) or SHA to generate the builder. If not provided, defaults to inputs.ref"
+    required: false
   repository:
     description: "Repository of the builder."
     required: true
@@ -67,11 +70,17 @@ runs:
         # release binaries when the compile-builder input is false.
         VERIFIER_REPOSITORY: slsa-framework/slsa-verifier # The repository to download the pre-built verifier binary from.
         VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 # The name of the verifier binary in the release assets.
-        VERIFIER_RELEASE_BINARY_SHA256: b1d6c9bbce6274e253f0be33158cacd7fb894c5ebd643f14a911bfe55574f4c0 # The expected hash of the verifier binary.
-        VERIFIER_RELEASE: v1.3.2 # The version of the verifier to download.
+        VERIFIER_RELEASE_BINARY_SHA256: 538e5346784ddab14189dd66fb995e49c69247985a364558ad3b44e1fbff04cf # The expected hash of the verifier binary.
+        VERIFIER_RELEASE: v2.1.0 # The version of the verifier to download.
 
         COMPILE_BUILDER: "${{ inputs.compile-builder }}"
-        BUILDER_REF: "${{ inputs.ref }}"
+        # NOTE: If a builder reference is specified, then we will download this version of the builder.
+        # Otherwise, we use the same tag reference as the detected workflow source reference. This allows
+        # pinning the builder binary version at the same as the reuseable workflow reference, and avoids
+        # dynamically fetching a builder binary.
+        # The builder-ref option can be used to test the scripts at main to download a builder binary at
+        # a previous tag.
+        BUILDER_REF: "${{ inputs.builder-ref || inputs.ref }}" # The version of the builder to retrieve.
         BUILDER_DIR: "./__BUILDER_CHECKOUT_DIR__/${{ inputs.directory }}"
         # Needed for the gh CLI used in builder-fetch.sh.
         GH_TOKEN: "${{ inputs.token }}"
diff --git a/.github/actions/generate-builder/builder-fetch.sh b/.github/actions/generate-builder/builder-fetch.sh
index 1bc294e262..ece3b7c99c 100755
--- a/.github/actions/generate-builder/builder-fetch.sh
+++ b/.github/actions/generate-builder/builder-fetch.sh
@@ -73,11 +73,12 @@ echo "verifier hash verification has passed"
 
 # Verify the provenance of the builder.
 chmod a+x "$VERIFIER_RELEASE_BINARY"
-./"$VERIFIER_RELEASE_BINARY" --branch "main" \
-    --tag "$BUILDER_TAG" \
-    --artifact-path "$BUILDER_RELEASE_BINARY" \
-    --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \
-    --source "github.com/$BUILDER_REPOSITORY" || exit 6
+./"$VERIFIER_RELEASE_BINARY" verify-artifact \
+    --source-branch "main" \
+    --source-tag "$BUILDER_TAG" \
+    --provenance-path "$BUILDER_RELEASE_BINARY.intoto.jsonl" \
+    --source-uri "github.com/$BUILDER_REPOSITORY" \
+    "$BUILDER_RELEASE_BINARY" || exit 6
 
 BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_TAG" | jq -r '.object.sha')
 PROVENANCE_COMMIT=$(jq -r '.payload' <"$BUILDER_RELEASE_BINARY.intoto.jsonl" | base64 -d | jq -r '.predicate.materials[0].digest.sha1')
diff --git a/.github/actions/generate-builder/generate-builder.sh b/.github/actions/generate-builder/generate-builder.sh
index aa89e0a08c..3002ffb344 100755
--- a/.github/actions/generate-builder/generate-builder.sh
+++ b/.github/actions/generate-builder/generate-builder.sh
@@ -2,9 +2,10 @@
 set -euo pipefail
 
 if [[ "$COMPILE_BUILDER" == true ]]; then
-    echo "Building the builder"
+    echo "Building the builder with ref: $BUILDER_REF"
 
     cd "$BUILDER_DIR"
+    git checkout "$BUILDER_REF"
 
     #TODO(reproducible)
     go mod vendor
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
index 2120fa790a..ca11e43cd4 100644
--- a/.github/workflows/pre-submit.actions.yml
+++ b/.github/workflows/pre-submit.actions.yml
@@ -299,10 +299,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - name: Detect the builder ref
+        id: detect
+        uses: ./.github/actions/detect-workflow
       - uses: ./.github/actions/generate-builder
         with:
-          repository: "slsa-framework/slsa-github-generator"
-          ref: "refs/tags/v1.2.2"
+          repository: ${{ steps.detect.output.repository }}
+          ref: ${{ steps.detect.outputs.ref }}
+          builder-ref: "refs/tags/v1.2.2"
           go-version: 1.18
           binary: "slsa-generator-generic-linux-amd64"
           directory: "internal/builders/generic"
diff --git a/RELEASE.md b/RELEASE.md
index 449112054c..4074934576 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -46,7 +46,7 @@ Set up env variables:
 ```shell
 export GITHUB_USERNAME="laurentsimon"
 # This is the existing slsa-verifier version used by the builder. (https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/actions/generate-builder/action.yml#L55)
-export VERIFIER_TAG="v2.0.1"
+export VERIFIER_TAG="v2.1.0"
 export VERIFIER_REPOSITORY="$GITHUB_USERNAME/slsa-verifier"
 # Release tag of the builder we want to release. Release Candidates end with "-rc.#"
 export BUILDER_TAG="v1.5.0-rc.0"