diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index 77dc8f10..4a35116b 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -16,7 +16,9 @@ jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
     permissions:
+      attestations: write
       contents: read
+      id-token: write
       packages: write
 
     steps:
@@ -38,12 +40,20 @@ jobs:
             type=ref,event=branch
 
       - name: Build and push Docker image
+        id: push
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
       - name: Delete oldest Docker images
         uses: actions/delete-package-versions@v5
         with:
diff --git a/.github/workflows/release-files.yml b/.github/workflows/release-files.yml
index 8f31110f..c5c2c962 100644
--- a/.github/workflows/release-files.yml
+++ b/.github/workflows/release-files.yml
@@ -8,6 +8,7 @@ jobs:
   run:
     runs-on: ubuntu-latest
     permissions:
+      attestations: write
       contents: write
       id-token: write
 
@@ -39,6 +40,11 @@ jobs:
         run: >
             python3 -m hatchling build
 
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'dist/*.{tar.gz,whl}'
+
       - name: Check distribution files
         run: >
             twine check dist/*.{tar.gz,whl}