diff --git a/.github/workflows/native.yaml b/.github/workflows/native.yaml
index a3ba0596..333283a4 100644
--- a/.github/workflows/native.yaml
+++ b/.github/workflows/native.yaml
@@ -23,6 +23,9 @@ jobs:
     name: Clippy (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+
     defaults:
       run:
         working-directory: native
@@ -49,7 +52,7 @@ jobs:
           toolchain: stable
           components: clippy
           cache: false
-          rustflags: ""
+          rustflags: ''
 
       - name: Configure cache
         uses: Swatinem/rust-cache@v2
@@ -66,6 +69,9 @@ jobs:
     name: Rustfmt
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     defaults:
       run:
         working-directory: native
@@ -81,7 +87,7 @@ jobs:
           toolchain: nightly
           components: rustfmt
           cache: false
-          rustflags: ""
+          rustflags: ''
 
       - name: Configure cache
         uses: Swatinem/rust-cache@v2
@@ -97,6 +103,11 @@ jobs:
     name: Build (${{ matrix.target }})
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
+
     defaults:
       run:
         working-directory: native
@@ -140,7 +151,7 @@ jobs:
           toolchain: stable
           target: ${{ matrix.target }}
           cache: false
-          rustflags: ""
+          rustflags: ''
 
       - name: Configure cache
         uses: Swatinem/rust-cache@v2
@@ -162,7 +173,7 @@ jobs:
       - name: Install Cargo DEB (Linux)
         if: matrix.os == 'ubuntu-latest'
         run: |
-          cargo install cargo-deb --git https://github.com/kornelski/cargo-deb.git --rev 423d53ed8f0559bc339013aa7e1a3f2fde493c0e
+          cargo install cargo-deb --git https://github.com/kornelski/cargo-deb.git --rev 7e66d7f6162cc1cc2349c2abfb6258bf43eb6aa5
 
       - name: Install Cargo RPM (Linux)
         if: matrix.os == 'ubuntu-latest'
@@ -179,12 +190,12 @@ jobs:
         if: matrix.os == 'windows-latest' && matrix.portable == true
         run: |
           mkdir $TEMP/PortableAppsLauncher && cd $TEMP/PortableAppsLauncher
-          curl "https://download2.portableapps.com/portableapps/PortableApps.comLauncher/PortableApps.comLauncher_2.2.9.paf.exe" -o PortableAppsLauncher.paf.exe
+          curl "https://github.com/filips123/PortableAppsTools/releases/download/PortableAppsLauncher/2.2.9/PortableAppsLauncher.paf.exe" -o PortableAppsLauncher.paf.exe
           7z x -y PortableAppsLauncher.paf.exe
           echo $TEMP/PortableAppsLauncher >> $GITHUB_PATH
 
           mkdir $TEMP/PortableAppsInstaller && cd $TEMP/PortableAppsInstaller
-          curl "https://download2.portableapps.com/portableapps/PortableApps.comInstaller/PortableApps.comInstaller_3.8.12.paf.exe" -o PortableAppsInstaller.paf.exe
+          curl "https://github.com/filips123/PortableAppsTools/releases/download/PortableAppsInstaller/3.8.12/PortableAppsInstaller.paf.exe" -o PortableAppsInstaller.paf.exe
           7z x -y PortableAppsInstaller.paf.exe
           echo $TEMP/PortableAppsInstaller >> $GITHUB_PATH
 
@@ -293,17 +304,63 @@ jobs:
           mv PWAsForFirefoxPortable_*.paf.exe ../../target/paf/firefoxpwa_${VERSION}_online.paf.exe
           echo "::endgroup::"
 
-      - name: Upload artifacts
-        if: success() || failure()
-        uses: actions/upload-artifact@v3
+      - name: Determine target architecture
+        id: target
+        env:
+          TARGET: ${{ matrix.target }}
+        run: echo "::set-output name=target::${TARGET%%-*}"
+
+      - name: Attest artifacts
+        # if: startsWith(github.ref, 'refs/tags/v')
+        uses: actions/attest-build-provenance@v1
         with:
-          path: |
+          subject-path: |
             native/target/completions.zip
             native/target/debian/*.deb
             native/target/rpm/*.rpm
             native/target/wix/*.msi
             native/target/paf/*.paf.exe
 
+      - name: Upload shell completions
+        if: matrix.target == 'x86_64-unknown-linux-gnu'
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-shell-completions
+          path: native/target/completions.zip
+          compression-level: 0
+
+      - name: Upload DEB (Linux)
+        if: matrix.os == 'ubuntu-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-linux-deb-${{ steps.target.outputs.target }}
+          path: native/target/debian/*.deb
+          compression-level: 0
+
+      - name: Upload RPM (Linux)
+        if: matrix.os == 'ubuntu-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-linux-rpm-${{ steps.target.outputs.target }}
+          path: native/target/rpm/*.rpm
+          compression-level: 0
+
+      - name: Upload MSI (Windows)
+        if: matrix.os == 'windows-latest' && matrix.portable != true
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-windows-msi-${{ steps.target.outputs.target }}
+          path: native/target/wix/*.msi
+          compression-level: 0
+
+      - name: Upload PAF (Windows)
+        if: matrix.os == 'windows-latest' && matrix.portable == true
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-windows-paf-${{ steps.target.outputs.target }}
+          path: native/target/paf/*.paf.exe
+          compression-level: 0
+
   release-github:
     name: Release on GitHub
     if: startsWith(github.ref, 'refs/tags/v')