diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
deleted file mode 100644
index fcaf6775..00000000
--- a/.github/workflows/build.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-on: [push, pull_request]
-name: build
-jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [1.15.x, 1.16.x, 1.17.x]
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Install Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Setup Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.6
-    - name: Checkout code
-      uses: actions/checkout@v2
-    - name: Install Python dependencies
-      run: |
-        python -m pip install --upgrade iso8601 requests securesystemslib six tuf
-    - name: Format Unix
-      if: runner.os == 'Linux'
-      run: test -z $(go fmt ./...)
-    - name: Test
-      run: go test -race -covermode atomic -coverprofile='profile.cov' ./...
-    - name: Send coverage
-      if: runner.os == 'Linux'
-      env:
-        COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        GO111MODULE=off go get github.com/mattn/goveralls
-        $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
index 9ae8401d..88189d96 100644
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x]
+        go-version: [1.16.x, 1.17.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -33,7 +33,16 @@ jobs:
       run: |
         GO111MODULE=off go get github.com/mattn/goveralls
         $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+    - name: Vet
+      run: go vet ./...
+    - name: Install staticcheck
+      run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2"
+    - name: Run staticcheck
+      run: staticcheck ./...
   release-server:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -46,25 +55,24 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name: write cosign.key to environment
-        run: 'echo "$COSIGN_KEY" > .github/cosign.key'
-        shell: bash
-        env:
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
       - name: install cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.2.1'
+          cosign-release: 'v1.4.1'
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
-          version: 'v0.180.2'
+          version: 'v1.2.2'
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1
   release-cli:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -85,13 +93,14 @@ jobs:
       - name: install cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.2.1'
+          cosign-release: 'v1.4.1'
+      - uses: anchore/sbom-action/download-syft@v0.6.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
-          version: 'v0.180.2'
+          version: 'v1.2.5'
           args: release --config ./.goreleaser_client.yaml --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 297984de..e9ba69a8 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -15,9 +15,17 @@ builds:
     goarch:
       - amd64
     main: ./cmd/tuf/
+gomod:
+  proxy: true
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+source:
+  enabled: true
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    stdin: '{{ .Env.COSIGN_PWD }}'
-    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]
     artifacts: all
\ No newline at end of file
diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml
index 9701e072..08352a98 100644
--- a/.goreleaser_client.yaml
+++ b/.goreleaser_client.yaml
@@ -15,9 +15,13 @@ builds:
     goarch:
       - amd64
     main: ./cmd/tuf-client/
+gomod:
+  proxy: true
+sboms:
+  - artifacts: archive
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    stdin: '{{ .Env.COSIGN_PWD }}'
-    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]
     artifacts: all
\ No newline at end of file