diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
new file mode 100644
index 000000000..443291b9a
--- /dev/null
+++ b/.github/workflows/release-snapshot.yaml
@@ -0,0 +1,49 @@
+name: snapshot
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  snapshot:
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+
+      - uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+
+      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
+
+      - name: Set LDFLAGS
+        id: ldflags
+        run: |
+           source ./release/ldflags.sh
+           goflags=$(ldflags)
+           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
+
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        with:
+          version: latest
+          args: release --snapshot --clean --timeout 120m --skip=sign
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LDFLAGS: ${{ env.GO_FLAGS }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index deb1b794e..3b52bf559 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -19,6 +19,15 @@ jobs:
       tag_name: ${{ steps.tag.outputs.tag_name }}
     runs-on: ubuntu-latest
     steps:
+      - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
@@ -60,7 +69,7 @@ jobs:
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
           version: latest
-          args: release --rm-dist --timeout 120m
+          args: release --clean --timeout 120m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           LDFLAGS: ${{ env.GO_FLAGS }}
@@ -74,6 +83,13 @@ jobs:
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
           echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
 
+      - name: build images
+        run: |
+          make build-sign-release-images
+        env:
+          LDFLAGS: ${{ env.GO_FLAGS }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: copy-signed-release-to-ghcr
         run: make copy-signed-release-to-ghcr || true
         env:
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 49fbdcc5f..7d54940bb 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -92,5 +92,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
-          version: v1.54
+          version: v1.59
           args: --timeout=15m
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index dda82dc20..b0cebe8c1 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,4 +1,5 @@
 project_name: policy-controller
+version: 2
 
 env:
   - GO111MODULE=on
@@ -8,13 +9,12 @@ before:
   hooks:
     - go mod tidy
     - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
-    - /bin/bash -c 'make build-sign-release-images'
 
 builds:
   - id: tester
     binary: tester-{{ .Os }}-{{ .Arch }}
     no_unique_dist_dir: true
-    main: ./cmd/tester/main.go
+    main: ./cmd/tester
     flags:
       - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
diff --git a/Makefile b/Makefile
index ac5310732..0436204c6 100644
--- a/Makefile
+++ b/Makefile
@@ -105,7 +105,7 @@ local-dev:
 golangci-lint:
 	rm -f $(GOLANGCI_LINT_BIN) || :
 	set -e ;\
-	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.2 ;\
+	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1 ;\
 
 lint: golangci-lint ## Run golangci-lint linter
 	$(GOLANGCI_LINT_BIN) run -n
diff --git a/go.mod b/go.mod
index 6ee8ef067..d33de0c1e 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/sigstore/policy-controller
 
 go 1.22
 
-toolchain go1.22.3
+toolchain go1.22.4
 
 require (
 	github.com/aws/aws-sdk-go v1.53.20