diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9022cc2..228e584 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,10 @@ jobs:
     permissions:
       # contents:write is required to upload the binaries to the release.
       contents: write
+      # id-token:write is required for build provenance attestation.
+      id-token: write
+      # attestations:write is required for build provenance attestation.
+      attestations: write
     steps:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -49,6 +53,10 @@ jobs:
               --detach-sign \
               --output pie.phar.asc \
               pie.phar
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '${{ github.workspace }}/pie.phar'
       - name: Upload binaries to release
         uses: softprops/action-gh-release@v2
         if: ${{startsWith(github.ref, 'refs/tags/') }}