diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index fae55e6d5642c..e49cea599d124 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -23,6 +23,10 @@ jobs:
       fail-fast: false
       matrix:
         version: ["18.04", "20.04", "22.04", "24.04"]
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
index 3159df5594e86..5b0df5dadc341 100644
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@@ -19,6 +19,10 @@ jobs:
   build:
     if: github.repository_owner == 'Homebrew' && github.actor != 'dependabot[bot]'
     runs-on: macos-latest
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
     outputs:
       installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg"
     env:
@@ -119,6 +123,11 @@ jobs:
             security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
           fi
 
+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+        with:
+          subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg
+
       - name: Upload installer to GitHub Actions
         uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
         with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 79d48a7700b8b..93c873c70960f 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -239,14 +239,30 @@ jobs:
       - name: Deploy the Docker image to GitHub Packages and Docker Hub
         if: github.ref == 'refs/heads/master'
         run: |
-          echo ${{secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN}} |
+          echo ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }} |
             docker login ghcr.io -u BrewTestBot --password-stdin
-          docker tag brew "ghcr.io/homebrew/ubuntu22.04:master"
-          docker push "ghcr.io/homebrew/ubuntu22.04:master"
-          echo ${{secrets.HOMEBREW_BREW_DOCKER_TOKEN}} |
+          docker tag brew "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}"
+          docker push "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}"
+          echo ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }} |
             docker login -u brewtestbot --password-stdin
-          docker tag brew "homebrew/ubuntu22.04:master"
-          docker push "homebrew/ubuntu22.04:master"
+          docker tag brew "homebrew/ubuntu22.04:${{ github.ref_name }}"
+          docker push "homebrew/ubuntu22.04:${{ github.ref_name }}"
+
+      - name: Generate Docker image digest
+        if: github.ref == 'refs/heads/master'
+        id: digest
+        run: |
+          digest="$(docker image inspect --format='{{.Digest}}' brew)"
+          echo "digest=$digest" >> "$GITHUB_OUTPUT"
+
+      - name: Generate Docker image build provenance
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+        if: github.ref == 'refs/heads/master'
+        id: attest
+        with:
+          push-to-registry: true
+          subject-digest: ${{ steps.digest.outputs.digest }}
+          subject-name: ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}
 
   update-test:
     name: ${{ matrix.name }}