diff --git a/.github/workflows/ant.yml b/.github/workflows/ant.yml
index 8cd4e6150..a306ce8bd 100644
--- a/.github/workflows/ant.yml
+++ b/.github/workflows/ant.yml
@@ -12,35 +12,51 @@ on:
       - $default-branch
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  attestations: write
+  contents: write
+  packages: write
+
 jobs:
   call-workflow-latest:
-      uses: JOSM/JOSMPluginAction/.github/workflows/ant.yml@v2
+      uses: JOSM/JOSMPluginAction/.github/workflows/ant.yml@v3
       with:
           josm-revision: ""
           java-version: 17
   call-workflow-min:
-    uses: JOSM/JOSMPluginAction/.github/workflows/ant.yml@v2
+    uses: JOSM/JOSMPluginAction/.github/workflows/ant.yml@v3
     with:
       josm-revision: "r18877"
       java-version: 17
       perform-revision-tagging: ${{ github.repository == 'JOSM/Mapillary' && github.ref_type == 'branch' && github.ref_name == 'master' && github.event_name != 'schedule' && github.event_name != 'pull_request' }}
 
   add-mapillary-keys:
-      runs-on: ubuntu
+      runs-on: ubuntu-latest
       needs: call-workflow-min
-      if: needs.call-workflow-min.outputs.tag
+      env:
+        GH_TOKEN: ${{ github.token }}
       steps:
+          - uses: actions/checkout@v4
+            with:
+                fetch-depth: 0
+          - name: Echo env
+            run: echo ${{ needs.call-workflow-min.outputs.tag }}
           - name: Get Mapillary jar
             run: gh release download ${{ needs.call-workflow-min.outputs.tag }} --pattern Mapillary.jar
           - name: Add keys
             run: |
                 cat <<EOF > mapillary_api_keys.json
                 {
-                    "MAPILLARY_CLIENT_ID": "${real_MAPILLARY_CLIENT_ID}",
-                    "MAPILLARY_CLIENT_TOKEN": "${real_MAPILLARY_CLIENT_TOKEN}",
-                    "MAPILLARY_CLIENT_SECRET": "${real_MAPILLARY_CLIENT_SECRET}"
+                    "MAPILLARY_CLIENT_ID": "${{ secrets.MAPILLARY_CLIENT_ID }}",
+                    "MAPILLARY_CLIENT_TOKEN": "${{ secrets.MAPILLARY_CLIENT_TOKEN }}",
+                    "MAPILLARY_CLIENT_SECRET": "${{ secrets.MAPILLARY_CLIENT_SECRET }}"
                 }
                 EOF
                 zip Mapillary.jar mapillary_api_keys.json
+          - name: Perform attestation (jar after adding API keys)
+            uses: actions/attest-build-provenance@v1
+            with:
+              subject-path: Mapillary.jar
           - name: Upload Mapillary jar
             run: gh release upload ${{ needs.call-workflow-min.outputs.tag }} --clobber Mapillary.jar
diff --git a/.github/workflows/reports.yaml b/.github/workflows/reports.yaml
deleted file mode 100644
index 817c66ff4..000000000
--- a/.github/workflows/reports.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-name: Publish reports
-
-on:
-  workflow_run:
-    workflows: [Java CI]
-    types: [completed]
-
-permissions:
-  checks: write
-
-jobs:
-  call-workflow:
-    uses: JOSM/JOSMPluginAction/.github/workflows/reports.yaml@v2
-