diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..e0871f9
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..86a5629
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,37 @@
+name: releaser
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  releaser:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v3 
+        with:
+          fetch-depth: 0
+      - run: git fetch --force --tags 
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '>=1.20'
+          check-latest: true
+          cache: true
+      - name: Download syft binary
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      - name: Run syft
+        run: syft version
+      - name: Goreleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          install-only: true 
+      - run: go version
+      - run: goreleaser -v 
+      - name: Releaser
+        run: make release 
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
new file mode 100644
index 0000000..53213b3
--- /dev/null
+++ b/.goreleaser.yaml
@@ -0,0 +1,50 @@
+project_name: sbomasm
+
+env:
+  - GO111MODULE=on
+
+before:
+  hooks:
+    - go mod tidy
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+
+gomod:
+  proxy: true 
+
+builds:
+  - id: binaries 
+    binary: sbomasm-{{ .Os }}-{{ .Arch }}
+    no_unique_dist_dir: true 
+    main: .
+    flags:
+      - -trimpath 
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    goos:
+      - linux
+      - darwin
+      - windows 
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - "{{ .Env.LDFLAGS }}"
+    env: 
+      - CGO_ENABLED=0
+
+archives:
+- format: binary
+  name_template: "{{ .Binary }}"
+  allow_different_binary_count: true 
+
+snapshot: 
+  name_template: SNAPSHOT-{{ .ShortCommit }}
+
+release:
+  prerelease: allow 
+  draft: true 
+
+sboms:
+  -
+    artifacts: binary
+    documents:
+      - "${artifact}.spdx.sbom"