diff --git a/.github/slsa/.slsa-client-linux-amd64.yml b/.github/slsa/.slsa-client-linux-amd64.yml
new file mode 100644
index 0000000000..b007a17e57
--- /dev/null
+++ b/.github/slsa/.slsa-client-linux-amd64.yml
@@ -0,0 +1,25 @@
+version: 1
+
+env:
+  - CGO_ENABLED=0
+  - GO111MODULE=off
+  - MODFLAGS="-mod=vendor"
+
+flags:
+  - -trimpath
+
+goos: linux
+goarch: amd64
+
+# (Optional) Entrypoint to compile.
+main: ./client/fuse.go
+
+binary: cfs-client-{{ .Os }}-{{ .Arch }}
+
+ldflags:
+  - "-X github.com/cubefs/cubefs/proto.Version={{ .Env.VERSION }}"
+  - "-X github.com/cubefs/cubefs/proto.CommitID={{ .Env.COMMIT_ID }}"
+  - "-X github.com/cubefs/cubefs/proto.BranchName={{ .Env.BRANCH_NAME }}"
+  - "-X github.com/cubefs/cubefs/proto.BuildTime={{ .Env.BUILD_TIME }}"
+  - "-X github.com/cubefs/cubefs/blobstore/util/version.version={{ .Env.BRANCH_NAME }}/{{ .Env.COMMIT_ID }}"
+  - "-w -s"
diff --git a/.github/workflows/slsa-releaser.yml b/.github/workflows/slsa-releaser.yml
new file mode 100644
index 0000000000..c9fde66739
--- /dev/null
+++ b/.github/workflows/slsa-releaser.yml
@@ -0,0 +1,45 @@
+name: SLSA Releaser
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  args:
+    runs-on: ubuntu-latest
+    outputs:
+      build-time: ${{ steps.ldflags.outputs.build-time }}
+      commit-id: ${{ steps.ldflags.outputs.commit-id }}
+      version: ${{ steps.ldflags.outputs.version }}
+      branch-name: ${{ steps.ldflags.outputs.branch-name }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          fetch-depth: 0
+      - id: setupgo
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.4.0
+        with:
+          go-version: 1.17
+      - id: ldflags
+        run: |
+          echo "build-time=$(date +%Y-%m-%d_%H:%M)" >> "$GITHUB_OUTPUT"
+          echo "commit-id=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+          echo "version=$(git describe --abbrev=0 --tags)" >> "$GITHUB_OUTPUT"
+          echo "branch-name=$(git rev-parse --abbrev-ref HEAD)" >> "$GITHUB_OUTPUT"
+
+  # Trusted builders
+  client-linux-amd64:
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+    needs: args
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@07e64b653f10a80b6510f4568f685f8b7b9ea830
+    with:
+      config-file: .github/slsa/.slsa-client-linux-amd64.yml
+      go-version: 1.17
+      evaluated-envs: "BUILD_TIME:${{needs.args.outputs.build-time}}, COMMIT_ID:${{needs.args.outputs.commit-id}}, VERSION:${{needs.args.outputs.version}}, BRANCH_NAME:${{needs.args.outputs.branch-name}}"
+      compile-builder: true