diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1663390..6250bd9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -44,16 +44,20 @@ jobs:
             dist/*.whl
             dist/*.tar.gz
 
+      - name: Move Sigstore attestations out of dist
+        run: |
+          mkdir -p attestations
+          if ls dist/*.sigstore.json 1> /dev/null 2>&1; then
+            mv dist/*.sigstore.json attestations/
+          fi
+
       - name: Upload release assets
         uses: softprops/action-gh-release@v2
         with:
           files: |
             dist/*.whl
             dist/*.tar.gz
-            dist/*.whl.sig
-            dist/*.tar.gz.sig
-            dist/*.whl.pem
-            dist/*.tar.gz.pem
+            attestations/*.sigstore.json
             dist/sbom.json
 
       - name: Publish package distributions to PyPI