diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e97938d..4362f53 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,8 @@ jobs:
     name: release
     permissions:
       contents: write # Needed to upload release assets.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
@@ -39,6 +41,16 @@ jobs:
     - name: 'assemble artifacts'
       run: ./hack/assemble.sh
 
+    - name: 'attest sprout-x86_64.efi artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/sprout-x86_64.efi
+
+    - name: 'attest sprout-aarch64.efi artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/sprout-aarch64.efi
+
     - name: 'generate cultivator token'
       uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2
       id: generate-token