diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 69e27ab..6dfc96c 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -1,41 +1,71 @@
 ---
-name: slsa
+name: SLSA
 on:
   push:
   release:
+    permissions:
+      contents: write
     types: [published, released]
+
+permissions:
+  contents: read
+
 jobs:
   build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-latest
     steps:
       - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
         shell: bash
 
-      - name: checkout repository
-        uses: actions/checkout@master
+      - name: Checkout repository
+        uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
 
-      - name: create checksum file
-        run: find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
+      - name: Build artifacts
+        run: |
+          find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
 
-      - name: upload artifact
-        uses: actions/upload-artifact@v3
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload ${{ env.REPOSITORY_NAME }}.sha256
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
+          name: ${{ env.REPOSITORY_NAME }}.sha256
           path: ${{ env.REPOSITORY_NAME }}.sha256
+          if-no-files-found: error
+          retention-days: 5
 
-  generate-provenance:
-    needs: build
-    name: generate build provenance
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
+
+  release:
+    needs: [build, provenance]
     runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
     steps:
-      - name: download build artifact
-        uses: actions/download-artifact@v3
+      - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
+        shell: bash
 
-      - name: generate provenance
-        uses: slsa-framework/github-actions-demo@v0.1
+      - name: Download ${{ env.REPOSITORY_NAME }}.sha256
+        uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
         with:
-          artifact_path: artifact/
+          name: ${{ env.REPOSITORY_NAME }}.sha256
 
-      - name: upload provenance
-        uses: actions/upload-artifact@v3
+      - name: Upload asset
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
-          path: build.provenance
+          files: |
+            ${{ env.REPOSITORY_NAME }}.sha256