diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index 25a690f..0000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-# These are supported funding model platforms
-
-github: vanilla-os
-liberapay: fabricators
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8ac6b8c..5ace460 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,4 +3,4 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
+      interval: "weekly"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..c8f8877
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,57 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*'
+  workflow_dispatch:
+
+env:
+    REGISTRY_USER: ${{ github.actor }}
+    REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  verify-image:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Verify Base Image Integrity
+      run:
+        gh attestation verify oci://ghcr.io/vanilla-os/pico:main --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+  release:
+    runs-on: ubuntu-latest
+    needs: verify-image
+    permissions:
+      contents: write # Allow actions to create release
+      attestations: write # To create and write attestations
+      id-token: write # Additional permissions for the persistence of the attestations
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: vanilla-os/vib-gh-action@v0.7.4
+        with:
+            recipe: 'recipe.yml'
+            plugins: 'Vanilla-OS/vib-fsguard:v1.5.3'
+
+      - uses: actions/upload-artifact@v4
+        with:
+            name: Containerfile
+            path: Containerfile
+
+      - name: Create Release
+        env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "${{ github.ref_name }}" --generate-notes Containerfile
+
+      - name: Attest Release Files
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'Containerfile'
diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
index 7ca5176..70a7e52 100644
--- a/.github/workflows/vib-build.yml
+++ b/.github/workflows/vib-build.yml
@@ -35,7 +35,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - uses: vanilla-os/vib-gh-action@v0.7.2
+    - uses: vanilla-os/vib-gh-action@v0.7.4
 
     - uses: actions/upload-artifact@v4
       with:
diff --git a/.gitignore b/.gitignore
index 863576e..1ca57e6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 Containerfile
-sources/
 downloads/
+plugins/
+sources/
diff --git a/LICENSE b/LICENSE.txt
similarity index 100%
rename from LICENSE
rename to LICENSE.txt
diff --git a/README.md b/README.md
index 8f489f0..eb941b2 100644
--- a/README.md
+++ b/README.md
@@ -9,3 +9,11 @@ This image is based on top of [`vanillaos/pico`](https://github.com/Vanilla-OS/p
 ```bash
 podman image build -t vanillaos/vso .
 ```
+
+## Verify Image Build Provenance Attestation
+
+All the image builds/pushes are attested for build provenance and integrity using the [attest-build-provenance](https://github.com/actions/attest-build-provenance) action. The attestations can be verified [here](https://github.com/Vanilla-OS/dev-image/attestations) or by having the latest version of [GitHub CLI](https://github.com/cli/cli/releases/latest) installed in your system. Then, execute the following command:
+
+```sh
+gh attestation verify oci://ghcr.io/vanilla-os/vso:main --owner Vanilla-OS
+```
diff --git a/recipe.yml b/recipe.yml
index ac1a752..f57e984 100644
--- a/recipe.yml
+++ b/recipe.yml
@@ -9,7 +9,8 @@ stages:
   args:
     DEBIAN_FRONTEND: noninteractive
   runs:
-    - echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommends
+    commands:
+      - echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommends
 
   modules:
     - name: base-files
@@ -106,14 +107,14 @@ stages:
       type: shell
       source:
         type: tar
-        # switch to production build once in production
-        url: https://github.com/Vanilla-OS/vanilla-tools/releases/download/continuous/vanilla-tools.tar.gz
+        url: https://github.com/Vanilla-OS/vanilla-tools/releases/download/v1.0.0/vanilla-tools.tar.gz
+        checksum: 0e1d92d9c9154f9a115e97b40ff692afa52ddd0d9f770a8ec67440bf1a48aa72
       commands:
-      - mkdir -p /usr/bin
-      - cp /sources/vanilla-tools/vanilla-tools/nrun /usr/bin/nrun
-      - chmod +x /usr/bin/nrun
-      - cp /sources/vanilla-tools/vanilla-tools/cur-gpu /usr/bin/cur-gpu
-      - chmod +x /usr/bin/cur-gpu
+        - mkdir -p /usr/bin
+        - cp /sources/vanilla-tools/vanilla-tools/nrun /usr/bin/nrun
+        - chmod +x /usr/bin/nrun
+        - cp /sources/vanilla-tools/vanilla-tools/cur-gpu /usr/bin/cur-gpu
+        - chmod +x /usr/bin/cur-gpu
 
     - name: host-aliases
       type: shell