diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fe96cfee..c0aa572e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,10 +5,6 @@ on:
     tags:
       - 'v*.*.*'
 
-# grant write permission to GITHUB_TOKEN for goreleaser
-permissions:
-  contents: write
-
 env:
   ZITI_DEB_TEST_REPO: ${{ vars.ZITI_DEB_TEST_REPO || 'zitipax-openziti-deb-test' }}
   ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }}
@@ -263,6 +259,10 @@ jobs:
   draft-release:
     runs-on: ubuntu-latest
     needs: call-publish-docker-images
+    permissions:
+      contents: write  # need write to draft the release
+      id-token: write  # need write to get OIDC token for generating attestations
+      attestations: write  # need write to create attestations
     steps:
       - uses: actions/checkout@v4
 
@@ -292,12 +292,26 @@ jobs:
           merge-multiple: true
           pattern: release-builds-*
 
-      - run: |
+      - name: Create Checksum Files
+        shell: bash
+        run: |
+
           ls -lAR ./automated-release-build/
+
+          # create checksum file for the attestations
+          shasum --algorithm 256 ./automated-release-build/* | tee /tmp/attestation-subjects.sha256.txt
+
+          # create checksum file for the release
           cd ./automated-release-build/
           shasum --algorithm 256 ./* | tee ./checksums.sha256.txt
 
-      - uses: goreleaser/goreleaser-action@v6
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-checksums: /tmp/attestation-subjects.sha256.txt
+
+      - name: Draft Release
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: '~> v2'
diff --git a/.gitignore b/.gitignore
index a830fe64..4566b841 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@
 .idea
 .vscode
 *.db
-automated-release-build
+/automated-release-build/
 etc/dev.yml
 etc/dev-frontend.yml
 
@@ -10,7 +10,7 @@ etc/dev-frontend.yml
 node_modules/
 
 # Artifacts
-dist/
+/dist/
 
 # Generated files
 .docusaurus
diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc945094..c09998c0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,8 @@ CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Dock
 
 CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life.
 
+CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (https://github.com/openziti/zrok/issues/889).
+
 ## v0.4.48
 
 FEATURE: The controller configuration now supports a `disable_auto_migration` boolean in the `store` stanza. When set to `true`, the controller will not attempt to auto-migrate (or otherwise validate the migration state) of the underlying database. Leaving `disable_auto_migration` out, or setting it to false will retain the default behavior of auto-migrating when starting the zrok controller. The `zrok admin migrate` command will still perform a migration regardless of how this setting is configured in the controller configuration (https://github.com/openziti/zrok/issues/866)