diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 75d0e69a..d81fd624 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -17,6 +17,12 @@ on:
 jobs:
   release:
     runs-on: ubuntu-22.04
+    # The maximum access is "read" for PRs from public forked repos
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+    permissions:
+      contents: write  # for releases
+      id-token: write  # for provenances
+      attestations: write  # for provenances
     steps:
     - uses: actions/checkout@v4
     - name: "Build binaries"
@@ -44,6 +50,10 @@ jobs:
         https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
         The sha256sum of the SHA256SUMS file itself is ${shasha} .
         EOF
+    - uses: actions/attest-build-provenance@v1
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+      with:
+        subject-path: /tmp/artifact/* /tmp/SHA256SUMS
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}