diff --git a/.github/actions/goreleaser/action.yml b/.github/actions/goreleaser/action.yml
index a0d443e..6f6518a 100644
--- a/.github/actions/goreleaser/action.yml
+++ b/.github/actions/goreleaser/action.yml
@@ -24,6 +24,14 @@ inputs:
     description: "Homebrew tap token (optional)"
     required: false
     default: ""
+  cosign-key:
+    description: "Cosign private key (base64 encoded)"
+    required: false
+    default: ""
+  cosign-password:
+    description: "Cosign private key password"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -38,6 +46,10 @@ runs:
           git push origin ${{ inputs.version-tag }} || true
         fi
 
+    - name: Install cosign
+      if: inputs.cosign-key != ''
+      uses: sigstore/cosign-installer@v3
+
     - name: Run GoReleaser (full)
       if: inputs.mode == 'full'
       uses: goreleaser/goreleaser-action@v6
@@ -49,6 +61,8 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github-token }}
         HOMEBREW_TAP_TOKEN: ${{ inputs.homebrew-tap-token }}
         CGO_ENABLED: ${{ inputs.cgo-enabled }}
+        COSIGN_KEY: ${{ inputs.cosign-key }}
+        COSIGN_PASSWORD: ${{ inputs.cosign-password }}
 
     - name: Run GoReleaser Pro (split)
       if: inputs.mode == 'split'
@@ -61,6 +75,8 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github-token }}
         GORELEASER_KEY: ${{ inputs.goreleaser-key }}
         CGO_ENABLED: ${{ inputs.cgo-enabled }}
+        COSIGN_KEY: ${{ inputs.cosign-key }}
+        COSIGN_PASSWORD: ${{ inputs.cosign-password }}
 
     - name: Run GoReleaser Pro (merge)
       if: inputs.mode == 'merge'
@@ -72,3 +88,5 @@ runs:
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
         GORELEASER_KEY: ${{ inputs.goreleaser-key }}
+        COSIGN_KEY: ${{ inputs.cosign-key }}
+        COSIGN_PASSWORD: ${{ inputs.cosign-password }}
diff --git a/.github/workflows/go-release-cgo.yaml b/.github/workflows/go-release-cgo.yaml
index aefa568..400633d 100644
--- a/.github/workflows/go-release-cgo.yaml
+++ b/.github/workflows/go-release-cgo.yaml
@@ -161,6 +161,8 @@ jobs:
           cgo-enabled: "1"
           github-token: ${{ secrets.GITHUB_TOKEN }}
           goreleaser-key: ${{ secrets.GORELEASER_PRO }}
+          cosign-key: ${{ secrets.COSIGN_KEY }}
+          cosign-password: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -201,6 +203,8 @@ jobs:
           mode: merge
           github-token: ${{ secrets.GITHUB_TOKEN }}
           goreleaser-key: ${{ secrets.GORELEASER_PRO }}
+          cosign-key: ${{ secrets.COSIGN_KEY }}
+          cosign-password: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Rolling release
         if: inputs.rolling-release-tag != ''
diff --git a/.github/workflows/go-release.yaml b/.github/workflows/go-release.yaml
index 46ff5d5..d291626 100644
--- a/.github/workflows/go-release.yaml
+++ b/.github/workflows/go-release.yaml
@@ -108,6 +108,8 @@ jobs:
           mode: full
           github-token: ${{ secrets.GITHUB_TOKEN }}
           homebrew-tap-token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          cosign-key: ${{ secrets.COSIGN_KEY }}
+          cosign-password: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Rolling release
         if: inputs.rolling-release-tag != ''