diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e8e31abe..7f2ee270 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -26,6 +26,26 @@ jobs:
         ref: ${{ github.event.inputs.tag || github.ref }}
     - uses: hynek/build-and-inspect-python-package@eb6b0c7cc5e1f38eec42c970925e1b3420faa015
 
+  upload-to-release:
+    name: Upload to GitHub Release
+    if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: write # IMPORTANT: mandatory for making GitHub Releases
+
+    steps:
+    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
+      with:
+        name: Packages
+        path: dist
+    - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
+      with:
+        file: dist/**
+        tag: ${{ github.event.inputs.tag || github.ref }}
+        overwrite: false
+        file_glob: true
+
   publish:
     name: Publish to PyPI
     if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true'
@@ -51,22 +71,22 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     permissions:
-      contents: write # IMPORTANT: mandatory for making GitHub Releases
-      id-token: write # IMPORTANT: mandatory for sigstore
+      contents: write     # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write     # IMPORTANT: mandatory for attestations
+      attestations: write # IMPORTANT: mandatory for attestations
 
     steps:
       - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
         with:
           name: Packages
           path: dist
-      - uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2
+      - uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d
+        id: attest
         with:
-          inputs: >-
-            ./dist/*.tar.gz
-            ./dist/*.whl
+          subject-path: "./dist/citric*"
       - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
         with:
-          file: dist/**
+          file: ${{ steps.attest.outputs.bundle-path }}
           tag: ${{ github.event.inputs.tag || github.ref }}
           overwrite: false
-          file_glob: true
+          asset_name: attestations.intoto.jsonl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4213df2a..51823c75 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -41,6 +41,9 @@ repos:
   rev: v2.2.6
   hooks:
   - id: codespell
+    # TODO: Use inline ignores, e.g. # codespell:ignore intoto
+    # https://github.com/codespell-project/codespell/issues/3387
+    args: [-L, intoto]
     additional_dependencies:
     - tomli