diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 0d2a0a5..c407fa9 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -63,6 +63,11 @@ on:
 
 jobs:
   build:
+    permissions:
+      id-token: write
+      packages: write
+      attestations: write
+      contents: read
     env:
       REGISTRY_LOGIN: "${{ secrets.REGISTRY_LOGIN || github.repository_owner }}"
       REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}"
@@ -86,6 +91,7 @@ jobs:
 
     - name: Build and push ${{ inputs.name }} image
       uses: docker/build-push-action@v5
+      id: push
       with:
         context: ${{ inputs.context }}
         provenance: ${{ inputs.provenance }}
@@ -98,3 +104,10 @@ jobs:
         build-args: ${{ inputs.build-args }}
         file: ${{ env.FILE }}
         secrets: ${{ inputs.secrets }}
+
+    - name: Attest image
+      uses: github-early-access/generate-build-provenance@main
+      with:
+        subject-name: ${{ inputs.registry }}/${{ inputs.namespace }}/${{ inputs.name }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 532467c..184f75a 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -5,6 +5,8 @@ permissions:
   contents: read
   security-events: write
   pull-requests: write
+  attestations: write
+  id-token: write
 
 jobs:
   docker-build: