diff --git a/.github/workflows/cflite_batch.yml b/.github/workflows/cflite_batch.yml
index 8f06601..23fe255 100644
--- a/.github/workflows/cflite_batch.yml
+++ b/.github/workflows/cflite_batch.yml
@@ -5,11 +5,12 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   BatchFuzzing:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
index 81a6015..513a704 100644
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@@ -7,11 +7,12 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   PR:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
       cancel-in-progress: true
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 0353dfb..0fc00e7 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -20,12 +20,14 @@ on:
 ###############################################################################
 permissions:
   contents: read       # needed for checkout + GH API
-  packages: write      # push to ghcr.io
 
 ###############################################################################
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write    # push to ghcr.io
 
     steps:
     # -----------------------------------------------------------------------
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d0b0e7b..37e5aaf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -354,6 +354,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Determine tag
@@ -398,3 +400,8 @@ jobs:
           allowUpdates: true
           generateReleaseNotes: false
           artifacts: target/release/**
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: 'target/release/*'