diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml
index 5a71f652..d1006c16 100644
--- a/.github/workflows/publish-docker-images.yml
+++ b/.github/workflows/publish-docker-images.yml
@@ -94,8 +94,8 @@ jobs:
       - name: Publish Attestations to GitHub
         uses: actions/attest-build-provenance@v1
         env:
-          IMAGE_REPO_TAG: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}:${{ steps.semver.outputs.zrok_semver }}
+          IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}
         with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO_TAG}}
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8c2d45b..b7fe3250 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Dock
 
 CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life.
 
+CHANGE: Container images now include SLSA and SBOM attestations, and these are also published to the Docker Hub registry (https://github.com/openziti/zrok/issues/890).
+
 CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (https://github.com/openziti/zrok/issues/889).
 
 ## v0.4.48