diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..2396b46
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,60 @@
+# SPDX-FileCopyrightText: 2024 Risk.Ident GmbH <contact@riskident.com>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+name: goreleaser
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Docker login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Run GoReleaser and publish
+        uses: goreleaser/goreleaser-action@v5
+        if: "startsWith(github.ref, 'refs/tags/')"
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser, but skip publish
+        uses: goreleaser/goreleaser-action@v5
+        if: "!startsWith(github.ref, 'refs/tags/')"
+        with:
+          version: latest
+          args: release --clean --skip=publish --snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
new file mode 100644
index 0000000..f599bd8
--- /dev/null
+++ b/.goreleaser.yaml
@@ -0,0 +1,75 @@
+# SPDX-FileCopyrightText: 2024 Risk.Ident GmbH <contact@riskident.com>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+
+dockers:
+  - image_templates:
+      - "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}-amd64"
+    dockerfile: goreleaser.Dockerfile
+    use: buildx
+    goarch: amd64
+    goos: linux
+    build_flag_templates:
+      - --platform=linux/amd64
+      - --label=org.opencontainers.image.version={{ .Version }}
+      - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+      - --label=org.opencontainers.image.revision={{ .FullCommit }}
+
+  - image_templates:
+      - "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}-arm64v8"
+    dockerfile: goreleaser.Dockerfile
+    use: buildx
+    goarch: arm64
+    goos: linux
+    build_flag_templates:
+      - --platform=linux/arm64/v8
+      - --label=org.opencontainers.image.version={{ .Version }}
+      - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+      - --label=org.opencontainers.image.revision={{ .FullCommit }}
+
+docker_manifests:
+  - name_template: "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}"
+    image_templates:
+      - "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}-amd64"
+      - "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}-arm64v8"
+  - name_template: "ghcr.io/riskident/{{ .ProjectName }}:latest"
+    image_templates:
+      - "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}-amd64"
+      - "ghcr.io/riskident/{{ .ProjectName }}:v{{ .Version }}-arm64v8"
+
+archives:
+  - format: tar.gz
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+
diff --git a/Dockerfile b/Dockerfile
index 6f8cbc0..3bb1939 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,9 +9,9 @@ COPY go.mod go.sum .
 RUN go mod download
 
 COPY *.go .
-ENV CGO_ENABLED=0
-RUN go install
+RUN CGO_ENABLED=0 go install
 
+# NOTE: When updating here, remember to also update in ./goreleaser.Dockerfile
 FROM scratch
 COPY --from=build /go/bin/ri-forward-webhook /usr/bin/
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
diff --git a/README.md b/README.md
index 6d3da74..78ec57f 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,20 @@ go run .
 podman build . -t ghcr.io/riskident/ri-forward-webhook
 ```
 
+## Releasing
+
+1. Create a new release on GitHub, with "v" prefix on version: <https://github.com/RiskIdent/ri-forward-webhook/releases/new>
+
+2. Write a small changelog, like so:
+
+   ```markdown
+   ## Changes (since v0.3.0)
+
+   - Added some feature. (#123)
+   ```
+
+3. Our GitHub Action with goreleaser will build and add artifacts to release
+
 ## License
 
 This repository complies with the [REUSE recommendations](https://reuse.software/).
diff --git a/goreleaser.Dockerfile b/goreleaser.Dockerfile
new file mode 100644
index 0000000..caf659d
--- /dev/null
+++ b/goreleaser.Dockerfile
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2024 Risk.Ident GmbH <contact@riskident.com>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+FROM docker.io/library/alpine AS certs
+RUN apk add --no-cache ca-certificates
+
+# NOTE: When updating here, remember to also update in ./Dockerfile
+FROM scratch
+COPY ri-forward-webhook /usr/local/bin/
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["ri-forward-webhook"]
+USER 10000
+LABEL \
+	org.opencontainers.image.source=https://github.com/RiskIdent/ri-forward-webhook \
+	org.opencontainers.image.description="Forwards and validates webhooks" \
+	org.opencontainers.image.licenses=GPL-3.0-or-later