diff --git a/.github/workflows/container_image_publish.yml b/.github/workflows/container_image_publish.yml
index 0819aae6103..86d4e39f1d8 100644
--- a/.github/workflows/container_image_publish.yml
+++ b/.github/workflows/container_image_publish.yml
@@ -23,6 +23,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      attestations: write
 
     steps:
       - name: Parse Kolibri version
@@ -40,6 +41,13 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
+      - name: Log in to Docker Hub Registry
+        uses: docker/login-action@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          scope: '${{ env.IMAGE_NAME }}@push'
+
       - name: Log in to Github Container Registry
         uses: docker/login-action@v4
         with:
@@ -47,13 +55,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Log in to Docker Hub Registry
-        uses: docker/login-action@v4
-        with:
-          registry: docker.io
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Extract metadata (tags, labels)
         id: meta
         uses: docker/metadata-action@v6
@@ -61,8 +62,8 @@ jobs:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
         with:
           images: |
-            ghcr.io/${{ env.IMAGE_NAME }}
             docker.io/${{ env.IMAGE_NAME }}
+            ghcr.io/${{ env.IMAGE_NAME }}
           tags: |
             type=semver,pattern={{version}},value=${{ steps.parse-version.outputs.kolibri_version }}
             type=semver,pattern={{major}}.{{minor}},value=${{ steps.parse-version.outputs.kolibri_version }}
@@ -81,3 +82,17 @@ jobs:
           build-args: |
             KOLIBRI_VERSION=${{ steps.parse-version.outputs.kolibri_version }}
             KOLIBRI_VERSION_SPEC===${{ steps.parse-version.outputs.kolibri_version }}
+
+      - name: Generate Docker Hub artifact attestation
+        uses: actions/attest@v4
+        with:
+          subject-name: index.docker.io/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate Github artifact attestation
+        uses: actions/attest@v4
+        with:
+          subject-name: ghcr.io/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true