diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5ac77c28..9b1b68ab 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -26,10 +26,18 @@ jobs:
     name: ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
 
+    env:
+      ATTEST: ${{ github.event.repository.fork == false && (github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v')) && matrix.os_name == 'windows' }}
+
     outputs:
       dotnet-sdk-version: ${{ steps.setup-dotnet.outputs.dotnet-version }}
       dotnet-validate-version: ${{ steps.get-dotnet-validate-version.outputs.dotnet-validate-version }}
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -62,6 +70,19 @@ jobs:
         flags: ${{ matrix.os_name }}
         token: ${{ secrets.CODECOV_TOKEN }}
 
+    - name: Generate SBOM
+      uses: anchore/sbom-action@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+      if: env.ATTEST == 'true'
+      with:
+        path: ./artifacts/bin/MartinCostello.Logging.XUnit
+        output-file: ./artifacts/sbom.spdx.json
+
+    - name: Attest provenance
+      uses: actions/attest-build-provenance@f8d5ea8082b0d9f5ab855907be308fbd7eefb155 # v1.1.0
+      if: env.ATTEST == 'true'
+      with:
+        subject-path: ./artifacts/bin/MartinCostello.Logging.XUnit/**/*.dll
+
     - name: Publish artifacts
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c3a2f73c..f7f1d4f7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -29,11 +29,11 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
-      
+
     - name: Add actionlint problem matcher
       run: echo "::add-matcher::.github/actionlint-matcher.json"
 
     - name: Lint workflows
-      uses: docker://rhysd/actionlint@sha256:daa1edae4a6366f320b68abb60b74fb59a458c17b61938d3c62709d92b231558 # v1.6.27
+      uses: docker://rhysd/actionlint@sha256:5acca218639222e4afbc82fc6e9ef56cbe646ade3b07f3f5ec364b638258a244 # v1.7.0
       with:
         args: -color