diff --git a/.github/workflows/build-nativeshims.yml b/.github/workflows/build-nativeshims.yml
index 3b68c479..15bb2b7e 100644
--- a/.github/workflows/build-nativeshims.yml
+++ b/.github/workflows/build-nativeshims.yml
@@ -108,6 +108,13 @@ jobs:
 
   pack:
     name: Package artifacts
+    permissions:
+      pull-requests: write
+      checks: write
+      id-token: write
+      contents: read
+      packages: read
+      attestations: write
     runs-on: windows-2019
     needs: [build-windows, build-linux-amd64, build-linux-arm64, build-macos]
     steps:
@@ -128,6 +135,13 @@ jobs:
         with:
           name: Yubico.NativeShims.nupkg
           path: Yubico.NativeShims.*.nupkg
+      
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            '${{ github.workspace }}/**/*.nupkg'
+            '${{ github.workspace }}/**/*.dll'
 
   publish-internal:
     name: Publish to internal NuGet
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 990b467d..5b5386b7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -58,8 +58,12 @@ jobs:
     runs-on: windows-2019
     needs: run-tests
     permissions:
+      pull-requests: write
+      checks: write
+      id-token: write
       contents: read
       packages: read
+      attestations: write
     steps:
       # Checkout the local repository
       - uses: actions/checkout@v4
@@ -118,6 +122,14 @@ jobs:
             Yubico.Core/src/bin/ReleaseWithDocs/**/*.dll
             Yubico.YubiKey/src/bin/ReleaseWithDocs/**/*.dll
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            '${{ github.workspace }}/**/*.nupkg'
+            '${{ github.workspace }}/**/*.snupkg'
+            '${{ github.workspace }}/**/*.dll'
+
       # Package the OATH sample code source
       - name: Save build artifacts
         uses: actions/upload-artifact@v4