diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5180531..e6736ed 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -97,6 +97,10 @@ jobs:
       run: |
         mkdir -p output
         kustomize build ./config/default > ./output/install.yaml
+    - name: Setup Syft
+      uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+    - name: Setup Cosign
+      uses: sigstore/cosign-installer@v3.5.0
     - name: Run goreleaser
       uses: goreleaser/goreleaser-action@v5
       with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index f174d31..cfbe229 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -28,6 +28,24 @@ checksum:
     - glob: output/install.yaml
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}-{{ .Version }}-sbom.spdx.json"
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - '--yes'
+    artifacts: checksum
+    output: true
 changelog:
   sort: asc
   filters: