diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6d72be6..df7ba96 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,14 +10,12 @@ on:
     types: [published]
   workflow_dispatch:
 
-permissions:
-   contents: read
-   packages: write
-
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
     name: npm
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
@@ -31,18 +29,63 @@ jobs:
       - run: npm publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-         
+
   publish-ghcr:
-     runs-on: ubuntu-latest
-     name: Docker
-     steps:
-         - uses: actions/checkout@v4
-
-         - name: Build image
-           run: |
-              docker build . --tag ghcr.io/tldr-pages/tldr-lint:latest
-
-         - name: Push to GHCR
-           run: |
-              docker login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
-              docker image push ghcr.io/tldr-pages/tldr-lint:latest
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write # Allow pushing images to GHCR
+      attestations: write # To create and write attestations
+      id-token: write # Additional permissions for persistence of the attestations
+    
+    env:
+      BUILDX_NO_DEFAULT_ATTESTATIONS: 1
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set image name
+      run: |
+        echo "IMAGE_URL=ghcr.io/tldr-pages/tldr-lint">> "$GITHUB_ENV"
+
+    - name: Docker meta
+      id: docker_meta
+      uses: docker/metadata-action@v5
+      with:
+        images: |
+          ${{ env. IMAGE_URL }}
+        tags: |
+          type=raw,value=latest
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Package Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and Push the Docker image
+      id: push
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: Dockerfile
+        push: true
+        tags: ${{ steps.docker_meta.outputs.tags }}
+        labels: ${{ steps.docker_meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        platforms: linux/amd64
+        provenance: false
+
+    - name: Attest pushed image
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      with:
+        subject-name: ${{ env.IMAGE_URL }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: false