diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0f04944..b5bc8a1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,13 +5,12 @@ on:
     tags:
       - "*"
 
-permissions:
-  contents: write
-  id-token: write
-  attestations: write
+permissions: {}
 
 jobs:
   release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
@@ -34,6 +33,26 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # pin@v2
+      - name: upload artifact
+        uses: actions/upload-artifact@4.6.2
         with:
-          subject-path: "dist/"
+          name: gh-combine
+          path: dist/
+
+  sign:
+    needs: release
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+    uses: github/salsa/.github/workflows/sign-artifact.yml@main
+    with:
+      name: gh-combine
+      artifact-path: dist/
+
+  verify:
+    needs: sign
+    uses: github/salsa/.github/workflows/verify.yml@main
+    with:
+      name: gh-combine
+      artifact-path: dist/
diff --git a/README.md b/README.md
index 635b2e6..475d90a 100644
--- a/README.md
+++ b/README.md
@@ -212,6 +212,15 @@ gh combine owner/repo --no-color
 LOG_LEVEL=DEBUG gh combine owner/repo
 ```
 
+## Verifying Release Binaries
+
+This project uses [goreleaser](https://goreleaser.com/) to build binaries and [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) to publish the provenance of the release.
+
+You can verify the release binaries by following these steps:
+
+1. Download a release from the [releases page](https://github.com/github/gh-combine/releases).
+2. Verify it `gh attestation verify --owner github ~/Downloads/darwin-arm64` (an example for darwin-arm64).
+
 ---
 
 Run `gh combine --help` for more information and full command/options usage.