diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 81b70b82..d2f73e8f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -114,11 +114,26 @@ jobs:
         uses: docker/bake-action@v4
         with:
           targets: artifact
+          provenance: mode=max
+          sbom: true
           pull: true
           set: |
             *.platform=${{ matrix.platform }}
             *.cache-from=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }}
             *.cache-to=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }},mode=max
+      -
+        name: Rename provenance and sbom
+        working-directory: ${{ env.DESTDIR }}/artifact
+        run: |
+          binname=$(find . -name 'ddns-route53_*')
+          filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
+          mv "provenance.json" "${filename}.provenance.json"
+          mv "sbom-binary.spdx.json" "${filename}.sbom.json"
+          find . -name 'sbom*.json' -exec rm {} \;
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
       -
         name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -233,6 +248,8 @@ jobs:
             ./docker-bake.hcl
             ${{ steps.meta.outputs.bake-file }}
           targets: image-all
+          provenance: mode=max
+          sbom: true
           pull: true
           push: ${{ github.event_name != 'pull_request' }}
           set: |