diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000..f2c34d1
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,48 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-22.04
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Fetch
+        run: git fetch --prune --force --tags
+
+      - name: Setup Go
+        uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a #v3.2.1
+        with:
+          go-version-file: go.mod
+
+      - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 #v3.0.1
+
+      - uses: anchore/sbom-action/download-syft@448520c4f19577ffce70a8317e619089054687e3 #v0.13.4
+
+      - uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish release
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b #4.2.0
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
new file mode 100644
index 0000000..7f0d00c
--- /dev/null
+++ b/.goreleaser.yaml
@@ -0,0 +1,74 @@
+project_name: proxy-kubeconfig-generator
+
+before:
+  hooks:
+  - go mod tidy
+
+builds:
+- env:
+  - CGO_ENABLED=0
+  - GO111MODULE=on
+  goos:
+  - linux
+  goarch:
+  - amd64
+  - arm64
+  ldflags: |
+    -X main.buildVersion={{ .Version }}
+    -s
+    -w
+
+checksum:
+  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
+  algorithm: sha256
+
+changelog:
+  sort: asc
+
+# creates SBOMs of all archives and the source tarball using syft
+# https://goreleaser.com/customization/sbom
+sboms:
+- id: archive
+  artifacts: archive
+- id: source
+  artifacts: source
+
+# signs the checksum file
+# all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to
+# https://goreleaser.com/customization/sign
+signs:
+- cmd: cosign
+  certificate: '${artifact}.pem'
+  args:
+  - sign-blob
+  - '--output-certificate=${certificate}'
+  - '--output-signature=${signature}'
+  - '${artifact}'
+  - "--yes" # needed on cosign 2.0.0+
+  artifacts: all
+  output: true
+
+kos:
+- base_image: cgr.dev/chainguard/static
+  repository: ghcr.io/maxgio92/proxy-kubeconfig-generator
+  bare: true
+  tags:
+  - '{{ .Version }}'
+  - '{{ .Major }}.{{ .Minor }}'
+  - latest
+  platforms:
+  - linux/amd64
+  - linux/arm64
+  sbom: spdx
+
+# signs our docker image
+# https://goreleaser.com/customization/docker_sign
+docker_signs:
+- cmd: cosign
+  artifacts: all
+  output: true
+  args:
+  - 'sign'
+  - '${artifact}'
+  - "--yes" # needed on cosign 2.0.0+
+