diff --git a/.github/workflows/sycl-linux-build.yml b/.github/workflows/sycl-linux-build.yml
index 33c2269fb360..d60e851b2bd7 100644
--- a/.github/workflows/sycl-linux-build.yml
+++ b/.github/workflows/sycl-linux-build.yml
@@ -46,6 +46,10 @@ on:
 
       # Artifacts:
 
+      sign_artifacts:
+        type: boolean
+        default: false
+
       retention-days:
         description: 'Artifacts retention period'
         type: string
@@ -131,7 +135,11 @@ on:
         options:
           - "sycl_linux_default"
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  id-token: write
+  packages: read
 
 jobs:
   build:
@@ -308,6 +316,12 @@ jobs:
     - name: Pack toolchain
       if: ${{ always() && !cancelled() && steps.build.conclusion == 'success' }}
       run: tar -I '${{ steps.artifact_info.outputs.COMPRESS }}' -cf ${{ steps.artifact_info.outputs.ARCHIVE_NAME }} -C $GITHUB_WORKSPACE/toolchain .
+    - name: Sign the toolchain archive & upload the signature artifact
+      if: ${{ always() && !cancelled() && steps.build.conclusion == 'success' && inputs.sign_artifacts == true }}
+      uses: ./devops/actions/sign_artifacts_and_upload_signature
+      with:
+        archive_path: ${{ steps.artifact_info.outputs.ARCHIVE_NAME }}
+        artifact_name: ${{ inputs.toolchain_artifact }}_signing_artifact
     - name: Upload toolchain
       if: ${{ always() && !cancelled() && steps.build.conclusion == 'success' }}
       uses: actions/upload-artifact@v4
diff --git a/.github/workflows/sycl-nightly.yml b/.github/workflows/sycl-nightly.yml
index e9df61203d74..145b8c2781ad 100644
--- a/.github/workflows/sycl-nightly.yml
+++ b/.github/workflows/sycl-nightly.yml
@@ -25,6 +25,11 @@ jobs:
 
   ubuntu2204_build:
     if: github.repository == 'intel/llvm'
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      packages: read
     uses: ./.github/workflows/sycl-linux-build.yml
     secrets: inherit
     with:
@@ -32,6 +37,7 @@ jobs:
       build_configure_extra_args: '--hip --cuda'
       build_image: ghcr.io/intel/llvm/ubuntu2204_build:latest
 
+      sign_artifacts: true
       retention-days: 90
       toolchain_artifact: sycl_linux_default
       # We upload the build for people to download/use, override its name and
diff --git a/devops/actions/sign_artifacts_and_upload_signature/action.yml b/devops/actions/sign_artifacts_and_upload_signature/action.yml
new file mode 100644
index 000000000000..d28227379097
--- /dev/null
+++ b/devops/actions/sign_artifacts_and_upload_signature/action.yml
@@ -0,0 +1,25 @@
+name: "Sign and upload artifacts"
+
+description: "Signs an archive and uploads the signing artifacts."
+
+inputs:
+  archive_path:
+    description: "Path to the archive to sign"
+    required: true
+  artifact_name:
+    description: "Name for the signing artifact"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Sign the archive
+      uses: sigstore/gh-action-sigstore-python@v3.0.1
+      with:
+        inputs: ${{ inputs.archive_path }}
+
+    - name: Upload signing artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.artifact_name }}
+        path: ${{ inputs.archive_path }}.sigstore.json