diff --git a/Makefile-kpromo b/Makefile-kpromo
index a790fe65..854076a0 100644
--- a/Makefile-kpromo
+++ b/Makefile-kpromo
@@ -17,7 +17,7 @@ SHELL=/bin/bash -o pipefail
 
 REGISTRY ?= gcr.io/k8s-staging-artifact-promoter
 IMGNAME = kpromo
-IMAGE_VERSION ?= v0.2.3-1
+IMAGE_VERSION ?= v0.2.4-1
 
 IMAGE = $(REGISTRY)/$(IMGNAME)
 
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 9f0dc1ce..0375cf2d 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -41,7 +41,7 @@ substitutions:
   # vYYYYMMDD-hash, and can be used as a substitution
   _GIT_TAG: '12345'
   _PULL_BASE_REF: 'dev'
-  _IMAGE_VERSION: 'v0.2.3-1'
+  _IMAGE_VERSION: 'v0.2.4-1'
   _GO_VERSION: '1.17'
   _OS_CODENAME: 'buster'
 
diff --git a/dependencies.yaml b/dependencies.yaml
index 4282fbdf..a84b80e8 100644
--- a/dependencies.yaml
+++ b/dependencies.yaml
@@ -66,7 +66,7 @@ dependencies:
       match: go \d+.\d+
 
   - name: "k8s.gcr.io/artifact-promoter/kpromo"
-    version: v0.2.3-1
+    version: v0.2.4-1
     refPaths:
     - path: cloudbuild.yaml
       match: v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)-([0-9]+)
diff --git a/filepromoter/filestore.go b/filepromoter/filestore.go
index 022935ec..37c99197 100644
--- a/filepromoter/filestore.go
+++ b/filepromoter/filestore.go
@@ -86,12 +86,18 @@ func openFilestore(
 
 	var opts []option.ClientOption
 	if withAuth {
-		logrus.Infof("requesting an authenticated storage client")
+		logrus.Infof(
+			"requesting an authenticated storage client for %s",
+			filestore.Base,
+		)
 
 		ts := &gcloudTokenSource{ServiceAccount: filestore.ServiceAccount}
 		opts = append(opts, option.WithTokenSource(ts))
 	} else {
-		logrus.Warnf("requesting an UNAUTHENTICATED storage client")
+		logrus.Warnf(
+			"requesting an UNAUTHENTICATED storage client for %s",
+			filestore.Base,
+		)
 
 		opts = append(opts, option.WithoutAuthentication())
 	}
@@ -122,6 +128,13 @@ func useStorageClientAuth(
 	useServiceAccount, dryRun bool,
 ) (bool, error) {
 	withAuth := false
+
+	// Source filestores should be world-readable, so authentication should
+	// not be required.
+	if filestore.Src {
+		return withAuth, nil
+	}
+
 	if !dryRun {
 		if filestore.ServiceAccount == "" {
 			return withAuth, fmt.Errorf("cannot execute a production file promotion without a service account")
diff --git a/filepromoter/filestore_test.go b/filepromoter/filestore_test.go
index 45c79215..ea6e8dd7 100644
--- a/filepromoter/filestore_test.go
+++ b/filepromoter/filestore_test.go
@@ -56,6 +56,17 @@ func Test_useStorageClientAuth(t *testing.T) {
 			want:    false,
 			wantErr: true,
 		},
+		{
+			name: "production source filestore without service account",
+			args: args{
+				filestore: &api.Filestore{
+					Src: true,
+				},
+				dryRun: false,
+			},
+			want:    false,
+			wantErr: false,
+		},
 		{
 			name: "non-production",
 			args: args{