diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0aeee82..7f4d87d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -145,6 +145,10 @@ jobs:
   deploy:
     needs: [test-jre21]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         java: [ '11' ]
@@ -177,3 +181,11 @@ jobs:
           name: release.tar.gz
           path: archives/release.tar.gz
           if-no-files-found: error
+      - name: Attest deploy JAR provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'bazel-bin/cli/bazel-diff_deploy.jar'
+      - name: Attest source archive provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'archives/release.tar.gz'
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 2291f6c..0df3793 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -14,13 +14,15 @@ jobs:
       tag_name: ${{ inputs.tag_name }}
       # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
       registry_fork: maxwellE/bazel-central-registry
-      attest: false
+      attest: true
       author_name: Maxwell Elliott
       author_email: maxwell@elliott.now
       committer_name: Maxwell Elliott
       committer_email: maxwell@elliott.now
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     secrets:
       # Necessary to push to the BCR fork, and to open a pull request against a registry
       publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}