diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0decb9ebf..44d9af626 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -264,6 +264,9 @@ jobs:
     environment: ${{ (github.ref == 'refs/heads/citest' || startsWith(github.ref, 'refs/tags/')) && 'deploy-release' || 'deploy-snapshot' }}
     needs: check
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
     env:
       # PyPI and MSFT keys are only available for the deploy-release environment
       # The AWS access key for snapshots is scoped to branches/* as well.
@@ -302,20 +305,14 @@ jobs:
           path: docs/archive
       - uses: actions/download-artifact@v4
         with:
-          name: binaries.windows
+          pattern: binaries.*
+          merge-multiple: true
           path: release/dist
-      - uses: actions/download-artifact@v4
+      - id: provenance
+        uses: actions/attest-build-provenance@v1
         with:
-          name: binaries.linux
-          path: release/dist
-      - uses: actions/download-artifact@v4
-        with:
-          name: binaries.macos-x86_64
-          path: release/dist
-      - uses: actions/download-artifact@v4
-        with:
-          name: binaries.macos-arm64
-          path: release/dist
+          subject-path: 'release/dist/*'
+      - run: mv ${{ steps.provenance.outputs.bundle-path }} release/dist/mitmproxy-${{ github.ref_name }}.sigstore
       - run: ls docs/public
       - run: ls release/dist