diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f91887ed..89792778 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -64,6 +64,8 @@ jobs:
 
     permissions:
       packages: write
+      attestations: write
+      id-token: write
 
     env:
       REGISTRY: ghcr.io
@@ -103,6 +105,7 @@ jobs:
         run: tar -xzvf ./build-${{ needs.build.outputs.revision }}.tar.gz
 
       - name: Build and push Docker image
+        id: push
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -110,6 +113,13 @@ jobs:
           labels: ${{ steps.metadata.outputs.labels }}
           push: true
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   deploy:
     needs: build
     environment: prose.org