diff --git a/.github/workflows/docker-hub-develop.yml b/.github/workflows/docker-hub-develop.yml
index d605ba1..fb66a2b 100644
--- a/.github/workflows/docker-hub-develop.yml
+++ b/.github/workflows/docker-hub-develop.yml
@@ -24,9 +24,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -50,7 +50,7 @@ jobs:
 
       - name: Build image
         id: push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -65,3 +65,12 @@ jobs:
           sbom: true
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:develop
+
+      - name: Attest pushed image
+        id: attest
+        if: ${{ env.PUSH == 'true' }}
+        uses: actions/attest@v4
+        with:
+          subject-name: docker.io/${{ env.DOCKER_NAMESPACE }}/draupnir
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/docker-hub-latest.yml b/.github/workflows/docker-hub-latest.yml
index 274b538..d43afb4 100644
--- a/.github/workflows/docker-hub-latest.yml
+++ b/.github/workflows/docker-hub-latest.yml
@@ -22,9 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -49,7 +49,7 @@ jobs:
 
       - name: Build image
         id: push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -63,3 +63,11 @@ jobs:
           sbom: true
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:latest
+
+      - name: Attest pushed image
+        id: attest
+        uses: actions/attest@v4
+        with:
+          subject-name: docker.io/${{ env.DOCKER_NAMESPACE }}/draupnir
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/docker-hub-release.yml b/.github/workflows/docker-hub-release.yml
index 3cb8b28..5093371 100644
--- a/.github/workflows/docker-hub-release.yml
+++ b/.github/workflows/docker-hub-release.yml
@@ -22,14 +22,15 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
       - name: Get release tag
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        id: release_version
+        run: echo "release_version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
       - name: Unshallow for git describe so we can create version.txt
         run: git fetch --prune --unshallow --tags --all --force
 
@@ -50,7 +51,7 @@ jobs:
 
       - name: Build image
         id: push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -63,4 +64,12 @@ jobs:
             org.opencontainers.image.licenses=AFL-3.0
           sbom: true
           tags: |
-            ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }}
+            ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ steps.release_version.outputs.release_version }}
+
+      - name: Attest pushed image
+        id: attest
+        uses: actions/attest@v4
+        with:
+          subject-name: docker.io/${{ env.DOCKER_NAMESPACE }}/draupnir
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/ghcr-latest.yml b/.github/workflows/ghcr-latest.yml
index d64e3bf..20639ce 100644
--- a/.github/workflows/ghcr-latest.yml
+++ b/.github/workflows/ghcr-latest.yml
@@ -20,6 +20,7 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -28,7 +29,8 @@ jobs:
       - name: Unshallow for git describe so we can create version.txt
         run: git fetch --prune --unshallow --tags --all --force
       - name: Set lowercase image owner
-        run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+        id: image_owner
+        run: echo "image_owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       # Needed for multi platform builds
       - name: Set up QEMU
@@ -48,7 +50,7 @@ jobs:
 
       - name: Build and push image to GHCR
         id: push_ghcr
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -61,4 +63,12 @@ jobs:
             org.opencontainers.image.licenses=AFL-3.0
           sbom: true
           tags: |
-            ghcr.io/${{ env.IMAGE_OWNER }}/draupnir:latest
+            ghcr.io/${{ steps.image_owner.outputs.image_owner }}/draupnir:latest
+
+      - name: Attest pushed image
+        id: attest
+        uses: actions/attest@v4
+        with:
+          subject-name: ghcr.io/${{ steps.image_owner.outputs.image_owner }}/draupnir
+          subject-digest: ${{ steps.push_ghcr.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/ghcr-release.yml b/.github/workflows/ghcr-release.yml
index d0e0770..d42b951 100644
--- a/.github/workflows/ghcr-release.yml
+++ b/.github/workflows/ghcr-release.yml
@@ -20,15 +20,18 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
       - name: Get release tag
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        id: release_version
+        run: echo "release_version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
       - name: Unshallow for git describe so we can create version.txt
         run: git fetch --prune --unshallow --tags --all --force
       - name: Set lowercase image owner
-        run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+        id: image_owner
+        run: echo "image_owner=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       # Needed for multi platform builds
       - name: Set up QEMU
@@ -48,7 +51,7 @@ jobs:
 
       - name: Build and push image to GHCR
         id: push_ghcr
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -61,4 +64,12 @@ jobs:
             org.opencontainers.image.licenses=AFL-3.0
           sbom: true
           tags: |
-            ghcr.io/${{ env.IMAGE_OWNER }}/draupnir:${{ env.RELEASE_VERSION }}
+            ghcr.io/${{ steps.image_owner.outputs.image_owner }}/draupnir:${{ steps.release_version.outputs.release_version }}
+
+      - name: Attest pushed image
+        id: attest
+        uses: actions/attest@v4
+        with:
+          subject-name: ghcr.io/${{ steps.image_owner.outputs.image_owner }}/draupnir
+          subject-digest: ${{ steps.push_ghcr.outputs.digest }}
+          push-to-registry: true