diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 30651a8226..b87dab11d4 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -65,12 +65,6 @@ jobs:
         run: |
           echo "::set-output name=hashes::$(sha256sum ${{ env.BUILD_DIR }}/*.tar.gz ${{ env.BUILD_DIR }}/*.deb ${{ env.BUILD_DIR }}/*.rpm | base64 -w0)"
 
-      - name: Generate provenance
-        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
-        with:
-          base64-subjects: "${{ needs.build.outputs.hashes }}"
-          upload-assets: true
-
       - name: Upload binaries to release
         uses: ncipollo/release-action@v1
         with:
@@ -79,6 +73,18 @@ jobs:
           updateOnlyUnreleased: true
           artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm"
 
+    provenance:
+      needs: [linux]
+      permissions:
+        actions: read
+        id-token: write
+        contents: write
+      - name: Generate provenance
+        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+        with:
+          base64-subjects: "${{ needs.build.outputs.hashes }}"
+          upload-assets: true
+
   freebsd:
     runs-on: ubuntu-latest
     strategy: