diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml
index 3c550e74..6a30d525 100644
--- a/.github/workflows/deploy-tag.yml
+++ b/.github/workflows/deploy-tag.yml
@@ -43,9 +43,23 @@ jobs:
       id-token: write
     timeout-minutes: 70
     needs: deploy
+    outputs:
+      base64-subjects: ${{ steps.attest.outputs.base64-subjects }}
     steps:
       - name: Attest
-        uses: johnbillion/action-wordpress-plugin-attestation@0.4.0
+        id: attest
+        uses: johnbillion/action-wordpress-plugin-attestation@slsa
         with:
           version: ${{ needs.deploy.outputs.version }}
           zip-path: ${{ needs.deploy.outputs.zip-path }}
+          dry-run: true
+  slsa:
+    name: Generate SLSA provenance attestation
+    needs: attest
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects-as-file: "${{ needs.attest.outputs.base64-subjects }}"