diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
index d55a6bd..cbf1fb0 100644
--- a/.github/workflows/build-and-release.yml
+++ b/.github/workflows/build-and-release.yml
@@ -19,6 +19,10 @@ jobs:
     runs-on: ubuntu-24.04
     needs:
       - release
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     strategy:
       max-parallel: 42
       matrix:
@@ -37,6 +41,10 @@ jobs:
         env:
           GOOS: ${{ matrix.GOOS }}
           GOARCH: ${{ matrix.GOARCH }}
+      - name: Generate signed build provenance attestations
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'templatefile-${{ github.ref_name }}-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.xz'
       - name: Upload build artifact
         run: .github/scripts/upload-artifacts
         env: