diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 04526e0..947026a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,8 @@ on:
 permissions:
     contents: read
     packages: write
+    id-token: write
+    attestations: write
 
 jobs:
     docker:
@@ -50,6 +52,14 @@ jobs:
                   build-args: |
                         SQLX_OFFLINE: true
               env:
+                  SQLX_OFFLINE: true
                   DOCKER_BUILD_SUMMARY: false
                   DOCKER_BUILD_RECORD_UPLOAD: false
-                  SQLX_OFFLINE: true
+
+            - name: Attest
+              id: attest
+              uses: actions/attest-build-provenance@v1
+              with:
+                  push-to-registry: true
+                  subject-name: ghcr.io/${{ github.repository }}
+                  subject-digest: ${{ steps.docker_build.outputs.digest }}