diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 78f5358..614485c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -92,6 +92,7 @@ jobs:
 
           "asset=$asset" >> $env:GITHUB_OUTPUT
           "checksum=$checksum" >> $env:GITHUB_OUTPUT
+          "sha256=$hash" >> $env:GITHUB_OUTPUT
 
       - name: Upload workflow artifact
         uses: actions/upload-artifact@v6
@@ -111,6 +112,9 @@ jobs:
           $asset = "${{ steps.package.outputs.asset }}"
           $checksum = "${{ steps.package.outputs.checksum }}"
           $title = "TunnelX $tag"
+          $runUrl = "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          $sha256 = "${{ steps.package.outputs.sha256 }}".ToUpperInvariant()
+          $artifactName = "${{ steps.meta.outputs.artifact_name }}"
 
           if ("${{ github.event_name }}" -eq "workflow_dispatch") {
             git fetch --tags origin
@@ -133,3 +137,27 @@ jobs:
               --generate-notes `
               --latest
           }
+
+          $body = gh release view $tag --json body --jq .body
+          $provenance = @"
+<!-- release-provenance:start -->
+## Build provenance
+
+- Built and uploaded by GitHub Actions.
+- Workflow: ``release``
+- Run: $runUrl
+- Commit: ``${{ github.sha }}``
+- SHA256: ``$sha256  $artifactName``
+<!-- release-provenance:end -->
+"@
+
+          if ($body -match '(?s)<!-- release-provenance:start -->.*<!-- release-provenance:end -->') {
+            $body = $body -replace '(?s)<!-- release-provenance:start -->.*<!-- release-provenance:end -->', $provenance
+          }
+          else {
+            $body = "$body`n`n$provenance"
+          }
+
+          $notesFile = Join-Path $env:RUNNER_TEMP "release-notes.md"
+          $body | Set-Content -Encoding UTF8 -LiteralPath $notesFile
+          gh release edit $tag --notes-file $notesFile
diff --git a/README.fa.md b/README.fa.md
index 2f02088..87f5ef0 100644
--- a/README.fa.md
+++ b/README.fa.md
@@ -37,6 +37,8 @@
 
 <span dir="ltr">[دانلود آخرین نسخه از GitHub Releases](https://github.com/MaxiFan/TunnelX/releases/latest)</span>
 
+فایل‌های منتشرشده توسط <span dir="ltr">GitHub Actions</span> ساخته و آپلود می‌شوند. برای هر فایل اجرایی <span dir="ltr">standalone</span>، فایل checksum با پسوند <span dir="ltr">`.sha256`</span> هم منتشر می‌شود و در متن هر <span dir="ltr">Release</span> لینک اجرای workflow قرار می‌گیرد.
+
 نسخه پیشنهادی برای کاربران، فایل <span dir="ltr">standalone</span> و <span dir="ltr">self-contained</span> است. این نسخه به نصب جداگانه <span dir="ltr">.NET Runtime</span> نیاز ندارد.
 
 ## نیازمندی‌های اجرا
diff --git a/README.md b/README.md
index 5e5847e..04e7877 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,8 @@ Public downloads should be attached to GitHub Releases after release validation
 
 [GitHub project](https://github.com/MaxiFan/TunnelX)
 
+Release assets are built and uploaded by GitHub Actions. Each published standalone executable includes a `.sha256` checksum file, and the release notes link back to the workflow run that produced the artifact.
+
 ## Build
 
 End-user requirements for the recommended standalone release: