diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 84fba222..d42394c1 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -29,10 +29,10 @@ jobs:
           python-version: '3.x'
 
       - name: Install build dependency
-        run: python3 -m pip install -r requirements-build.txt
+        run: python3 -m pip install --constraint requirements-build.txt build
 
       - name: Build binary wheel and source tarball
-        run: python3 -m build --sdist --wheel --outdir dist/ .
+        run: PIP_CONSTRAINT=requirements-build.txt python3 -m build --sdist --wheel --outdir dist/ .
 
       - name: Store build artifacts
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
diff --git a/pyproject.toml b/pyproject.toml
index 6774eb1d..4d4ca204 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,8 @@
 [build-system]
-# Version needs manual updates (dependabot/dependabot-core#8465)
-requires = ["hatchling==1.18.0"]
+# Dependabot cannot do `build-system.requires` (dependabot/dependabot-core#8465)
+# workaround to get reproducibility and auto-updates:
+#   PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
+requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [project]
diff --git a/requirements-build.txt b/requirements-build.txt
index e780e73e..3c09575e 100644
--- a/requirements-build.txt
+++ b/requirements-build.txt
@@ -1 +1,2 @@
 build==1.0.3
+hatchling==1.20.0