diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 75a9a75..56d0f75 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -13,6 +13,14 @@ env:
   NIXPKGS_ALLOW_UNFREE: 1
 
 jobs:
+  build:
+    runs-on: ubuntu-22.04
+    name: Build
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7
+      - run: nix-shell --run 'go build'
+      - run: ./terraform-provider-mailjet --help
   static_analysis:
     runs-on: ubuntu-22.04
     name: Run static analysis and linting
@@ -31,18 +39,3 @@ jobs:
         run: |
           git diff --compact-summary --exit-code || \
             (echo; echo "Unexpected difference in directories after code generation. Run 'go generate ./...' command and commit."; exit 1)
-  test_release:
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-      contents: read
-    name: Test release
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7
-      - run: nix-shell --run 'goreleaser --snapshot --clean'
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
-        with:
-          name: test-release-dist
-          path: dist/**/*
-          retention-days: 2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..d8aa1cf
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,29 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          fetch-depth: 0
+      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef
+        id: import_gpg
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
+      - run: nix-shell --run 'goreleaser --clean'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 22a85e7..6dbd9d1 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -31,6 +31,21 @@ checksum:
       name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
   algorithm: sha256
+signs:
+  - artifacts: checksum
+    args:
+      - "--batch"
+      - "--local-user"
+      - "{{ .Env.GPG_FINGERPRINT }}"
+      - "--output"
+      - "${signature}"
+      - "--detach-sign"
+      - "${artifact}"
+  - id: cosign-keyless
+    signature: "${artifact}.bundle"
+    cmd: cosign
+    args: [ "sign-blob", "--bundle", "${signature}", "--yes", "${artifact}" ]
+    artifacts: all
 release:
   extra_files:
     - glob: 'terraform-registry-manifest.json'