diff --git a/.github/templates/release.md b/.github/templates/release.md
index 071da11..c406f69 100644
--- a/.github/templates/release.md
+++ b/.github/templates/release.md
@@ -13,4 +13,4 @@ Update description
 https://github.com/maxgoedjen/secretive/actions/runs/RUN_ID
 
 ## Attestation
-https://github.com/maxgoedjen/secretive/actions/runs/RUN_ID
+https://github.com/maxgoedjen/secretive/attestations/ATTESTATION_ID
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 1aa1eaf..b5f109c 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -39,14 +39,11 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
         APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
-    - name: Document SHAs
-      run: |
-            echo "sha-512:"
-            shasum -a 512 Secretive.zip
-            shasum -a 512 Archive.zip
-            echo "sha-256:"
-            shasum -a 256 Secretive.zip
-            shasum -a 256 Archive.zip
+    - name: Attest
+      id: attest
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: 'Secretive.zip'
     - name: Upload App to Artifacts
       uses: actions/upload-artifact@v4
       with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index df9b852..0d8fb65 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
     runs-on: macos-15
     permissions:
       id-token: write
-      contents: read
+      contents: write
       attestations: write
     timeout-minutes: 10
     steps:
@@ -65,18 +65,23 @@ jobs:
         APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
         APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
-    - name: Attest 
+    - name: Attest
+      id: attest
       uses: actions/attest-build-provenance@v2
       with:
         subject-path: 'Secretive.zip, Xcode_Archive.zip'
     - name: Create Release
       run: |
-            gh release create $TAG_NAME -d -F templates/release.md
+            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
+            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
+            gh release create $TAG_NAME -d -F .github/templates/release.md
             gh release upload Secretive.zip
             gh release upload Xcode_Archive.zip
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         TAG_NAME: ${{ github.ref }}
+        RUN_ID: ${{ github.run_id }}
+        ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
     - name: Upload App to Artifacts
       uses: actions/upload-artifact@v4
       with: