diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 3af879ee..e91c0e78 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -14,8 +14,8 @@ jobs:
     permissions:
       contents: read
       packages: write
-      attestations: write
       id-token: write
+      security-events: write
 
     steps:
       - name: Checkout repository
@@ -34,11 +34,27 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      
-      - name: Build and push Docker image
-        id: push
+      - name: Build Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          artifact-digest: ${{ steps.push.outputs.digest }}
+          artifact-type: 'container-image'
+          artifact-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          materials: '[{"uri":"git+https://github.com/${{ github.repository }}","digest":{"sha1":"${{ github.sha }}"},"mediaType":"application/vnd.github.v3+json"}]'
+
+      - name: Push Docker image
         uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+