diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 2e3b4cb0..098a4f5f 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -29,6 +29,8 @@ jobs:
       url: https://pypi.org/p/hist
     permissions:
       id-token: write
+      attestations: write
+      contents: read
 
     steps:
     - uses: actions/download-artifact@v4
@@ -36,4 +38,9 @@ jobs:
         name: Packages
         path: dist
 
+    - name: Generate artifact attestation for sdist and wheel
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: "dist/hist-*"
+
     - uses: pypa/gh-action-pypi-publish@release/v1