diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
index 17e0e3a2..76632612 100644
--- a/.github/workflows/build-release.yaml
+++ b/.github/workflows/build-release.yaml
@@ -80,7 +80,53 @@ jobs:
       - name: Make release
         uses: goreleaser/goreleaser-action@v4
         with:
-          version: latest
+          version: v1.17.2
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Container metadata
+        id: meta
+        run: |
+          cat dist/artifacts.json  |jq
+          DIGEST=$(cat dist/artifacts.json  | jq '[ .[] | select( .type== "Docker Manifest") | .extra.Digest ]' | jq -r '.[0]')
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+          IMAGE=$(echo ghcr.io/${{ github.repository }})
+          echo "image=$IMAGE@$DIGEST" >> $GITHUB_OUTPUT
+
+    outputs:
+      digest: ${{ steps.meta.outputs.digest }}
+      image: ${{ steps.meta.outputs.image }}
+
+
+  sign:
+    needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: none
+      packages: write
+      id-token: write
+
+    steps:
+    - name: Log in to the Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # tag=v3.0.1
+
+    - name: Sign container
+      run: cosign sign --yes ${{ needs.release.outputs.image }}
+
+
+  verify:
+    needs: [ release, sign ]
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # tag=v3.0.1
+
+    - name: Verify signature
+      run: cosign verify --certificate-identity-regexp 'https://github.com/${{ github.repository }}/.github/workflows/build-release.yaml@refs/.*' --certificate-oidc-issuer https://token.actions.githubusercontent.com ${{ needs.release.outputs.image }}