diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8021489..a4203c5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,6 +88,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     needs: [build, sbom]
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Download artifacts
@@ -129,3 +133,7 @@ jobs:
           files: release/*
           draft: false
           prerelease: false
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        with:
+          subject-path: 'release/*'