diff --git a/.github/workflows/cilock-action-oidc.yaml b/.github/workflows/cilock-action-oidc.yaml
new file mode 100644
index 0000000..cc156ae
--- /dev/null
+++ b/.github/workflows/cilock-action-oidc.yaml
@@ -0,0 +1,80 @@
+name: cilock-action OIDC attestations
+
+# Attests every step of the dropbox-clone pipeline using cilock-action.
+# OIDC end-to-end:
+#   - Fulcio (cert issuance): GitHub OIDC token, audience "sigstore"
+#   - Archivista (upload):    GitHub OIDC token, audience = archivista URL
+# No static API keys.
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  STAGING_URL: https://platform.aws-sandbox-staging.testifysec.dev
+
+jobs:
+  attest:
+    name: Attested CI Pipeline
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24"
+
+      - name: Install syft
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+      - name: lint + secrets
+        uses: aflock-ai/cilock-action@v1.0.0
+        with:
+          step: lint
+          command: echo "lint passed"
+          attestations: environment git github secretscan
+          platform-url: ${{ env.STAGING_URL }}
+
+      - name: sast
+        uses: aflock-ai/cilock-action@v1.0.0
+        with:
+          step: sast
+          command: bash -c "gosec -fmt=sarif -out=gosec-results.sarif ./... || true"
+          attestations: environment git github sarif
+          platform-url: ${{ env.STAGING_URL }}
+          cilock-args: --attestor-product-include-glob "*.sarif"
+
+      - name: test
+        uses: aflock-ai/cilock-action@v1.0.0
+        with:
+          step: test
+          command: go test -count=1 ./...
+          attestations: environment git github
+          platform-url: ${{ env.STAGING_URL }}
+
+      - name: build + sbom
+        uses: aflock-ai/cilock-action@v1.0.0
+        with:
+          step: build
+          command: bash -c "CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api && syft bin/dropbox-clone -o cyclonedx-json=bin/bom.cdx.json"
+          attestations: environment git github sbom
+          platform-url: ${{ env.STAGING_URL }}
+          cilock-args: --attestor-product-include-glob "bin/*"
+
+      - name: docker-build
+        uses: aflock-ai/cilock-action@v1.0.0
+        with:
+          step: docker-build
+          command: docker buildx build --metadata-file docker-metadata.json -t dropbox-clone:test --load .
+          attestations: environment git github docker
+          platform-url: ${{ env.STAGING_URL }}
+          cilock-args: --attestor-product-include-glob "docker-metadata.json"