diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml
index 1a074a8..97addc7 100644
--- a/.github/workflows/release-image.yaml
+++ b/.github/workflows/release-image.yaml
@@ -12,6 +12,10 @@ on:
       short-tag:
         required: true
         type: string
+      create-attestation:
+        required: false
+        type: boolean
+        default: false
     secrets:
       github-token:
         required: true
@@ -44,6 +48,7 @@ jobs:
       - name: Push Docker Image
         if: ${{ success() }}
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
+        id: push
         with:
           context: .
           file: ./Dockerfile
@@ -55,3 +60,10 @@ jobs:
           platforms: linux/amd64,linux/arm64
           provenance: false
           sbom: false
+      - name: Generate artifact attestation
+        if: ${{ inputs.create-attestation }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
index e9fa18c..f9f6952 100644
--- a/.github/workflows/test-release.yaml
+++ b/.github/workflows/test-release.yaml
@@ -29,6 +29,7 @@ jobs:
       image-name: github/ospo-reusable-workflows
       full-tag: ${{ needs.release.outputs.full-tag }}
       short-tag: ${{ needs.release.outputs.short-tag }}
+      create-attestation: true
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}
       image-registry: ghcr.io