diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 87ca93e20..d760c670e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -137,6 +137,8 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     needs: [build, check]
@@ -157,3 +159,7 @@ jobs:
           files: |
             builds/release-tars-**/*
           make_latest: false
+      - name: Attest Artifacts
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./builds/release-tars-**/*.tar.gz