diff --git a/.github/actions/build-and-test/action.yml b/.github/actions/build-and-test/action.yml
index 731f382eb..d45fc1253 100644
--- a/.github/actions/build-and-test/action.yml
+++ b/.github/actions/build-and-test/action.yml
@@ -98,6 +98,11 @@ runs:
       with:
         name: ${{ inputs.artifact_name }}
         path: '${{ inputs.bin_name }}*'
+    -
+      name: Generate artifact attestation
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: ${{ inputs.bin_name }}
     -
       name: Extract documentation files from container
       if: inputs.event_name != 'pull_request' && inputs.platform == 'linux/amd64'
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8f83db7cc..38859edb8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,10 @@
 name: Build, Test, Deploy
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 on:
   push:
     branches: