diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9b11e71..a339a5f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -193,6 +193,9 @@ jobs:
     runs-on: ubuntu-22.04
     if: >
       needs.targets.outputs.targets != '[]'
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
 
@@ -260,6 +263,14 @@ jobs:
           gluon-path: "gluon-gha-data/gluon"
           hardware-target: ${{ matrix.target }}
 
+      - name: Attest Image Build Provenance
+        if: ${{ needs.build-meta.outputs.create-release != '0' }}
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            "gluon-gha-data/gluon/output/images/sysupgrade/*"
+            "gluon-gha-data/gluon/output/images/other/*"
+            "gluon-gha-data/gluon/output/images/factory/*"
 
   manifest:
     needs: [build, build-meta, targets]
@@ -487,6 +498,8 @@ jobs:
       github.event_name == 'push'
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
 
@@ -524,6 +537,12 @@ jobs:
           gluon-gha-data/release-artifacts/build-meta.txt
           gluon-gha-data/release-notes.md
 
+      - name: Attest Release Artifact Build Provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            gluon-gha-data/release-artifacts/*
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with: