diff --git a/.chainguard/source.yaml b/.chainguard/source.yaml
new file mode 100644
index 0000000..98f2663
--- /dev/null
+++ b/.chainguard/source.yaml
@@ -0,0 +1,13 @@
+# Copyright 2024 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+spec:
+  authorities:
+    - keyless:
+        # allow commits signed by users using GitHub or Google OIDC
+        identities:
+          - issuer: https://accounts.google.com
+          - issuer: https://github.com/login/oauth
+    - key:
+        # allow commits signed by GitHub, e.g. the UI
+        kms: https://github.com/web-flow.gpg