diff --git a/.github/workflows/rekor_cli.yaml b/.github/workflows/rekor_cli.yaml
new file mode 100644
index 0000000000..9c6b1eadf7
--- /dev/null
+++ b/.github/workflows/rekor_cli.yaml
@@ -0,0 +1,99 @@
+name: Build and attest Rekor CLI
+
+# Workflow to build the Rekor command line tool from source, and to generate
+# a GitHub provenance/attestation for the build artifact.
+# Only to be run manually via:
+#    gh workflow run .github/workflows/rekor_cli.yaml
+# See build.yaml for details.
+
+on:
+  workflow_dispatch:
+    branches: [main]
+
+jobs:
+  build_attest_rekor_cli:
+    permissions:
+      actions: read
+      id-token: write
+      attestations: write
+      contents: read
+
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
+
+      - name: Setup Google Cloud
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Mount main branch
+        uses: actions/checkout@v4
+
+      - name: Show values
+        run: |
+          set -o errexit
+          gsutil --version
+          echo "GITHUB_SHA: ${GITHUB_SHA}"
+
+      - name: Build
+        id: build
+        run: |
+          set -o errexit
+          set -o xtrace
+          git clone https://github.com/sigstore/rekor.git rekor-cli
+          cd rekor-cli
+          make rekor-cli
+          cp --preserve=timestamps rekor-cli /tmp/rekor-cli
+          chmod 755 /tmp/rekor-cli
+
+      - name: Show build artifact
+        run: |
+          ls -la /tmp/rekor-cli
+          /tmp/rekor-cli version
+
+      - name: Attest
+        id: attest
+        uses: actions/attest-build-provenance@v1.1.1
+        with:
+          subject-path: /tmp/rekor-cli
+
+      - name: Show bundle
+        run: |
+          echo "${{ steps.attest.outputs.bundle-path }}"
+          ls -la "${{ steps.attest.outputs.bundle-path }}"
+          cat "${{ steps.attest.outputs.bundle-path }}"
+
+      - name: Upload
+        id: upload
+        run: |
+          set -o errexit
+          set -o nounset
+          set -o pipefail
+          set -o xtrace
+
+          bucket=oak-bins
+          package_name=rekor_cli_linux_amd64
+          binary_path=/tmp/rekor-cli
+          provenance_path=${{ steps.attest.outputs.bundle-path }}
+
+          gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
+          gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
+          binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}"
+          provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}"
+
+          gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
+          gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
+
+          curl --fail \
+            --request POST \
+            --header 'Content-Type: application/json' \
+            --data "{ \"url\": \"${binary_url}\" }" \
+            https://api.static.space/v1/snapshot
+          curl --fail \
+            --request POST \
+            --header 'Content-Type: application/json' \
+            --data "{ \"url\": \"${provenance_url}\" }" \
+            https://api.static.space/v1/snapshot