diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index fceedb1..c545c27 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -131,6 +131,10 @@ jobs:
           release-suffix: ${{ format('{0}-{1}', matrix.release-suffix, inputs.prerelease_suffix || format('v{0}', github.ref_name)) }}
 
   prepare-release:
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
     name: Prepare release
     runs-on: matterlabs-ci-runner-high-performance
     container:
@@ -199,6 +203,12 @@ jobs:
             ./releases/release-macosx-amd64-${RELEASE_SUFFIX}/macosx-amd64-${RELEASE_SUFFIX}/zkvyper-macosx-amd64-${RELEASE_SUFFIX} \
             ./releases/release-macosx-arm64-${RELEASE_SUFFIX}/macosx-arm64-${RELEASE_SUFFIX}/zkvyper-macosx-arm64-${RELEASE_SUFFIX}
 
+      - name: Binaries attestation
+        uses: actions/attest-build-provenance@v2
+        if: github.ref_type == 'tag'
+        with:
+          subject-path: 'releases/**/**'
+
       - name: Prepare release
         uses: softprops/action-gh-release@v2
         with: