diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
new file mode 100644
index 0000000000..f2d77c47e3
--- /dev/null
+++ b/.github/workflows/report.yml
@@ -0,0 +1,31 @@
+on:
+  release:
+    types: [published]
+
+jobs:
+  add-attributions-to-release:
+    name: add-attributions-to-release ${{ github.event.release.tag_name }}
+    runs-on: ubuntu-latest
+
+    # release changes require contents write
+    permissions:
+      contents: write 
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install fossa-cli
+        run: |
+          ./install-latest.sh -d
+
+      # since this is only invoked after the release is published,
+      # we can safely presume that fossa has ran dependency scan on the commit
+      # from 'dependency-scan' job!
+      #
+      # docs: https://cli.github.com/manual/gh_release_upload
+      - name: Persist attributions to release
+        run: |
+          fossa report --format cyclonedx-json attribution > fossa-cli-attribution.bom.json
+          gh release upload ${{ github.event.release.tag_name }} fossa-cli-attribution.bom.json
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file