diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3308fae
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+export AQUA_POLICY_CONFIG=$PWD/aqua-policy.yaml:$AQUA_POLICY_CONFIG
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8e67200..feb7909 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,43 +3,43 @@ on:
   push:
     tags:
       - "v*"
-permissions:
-  contents: write # required to create a release
-  id-token: write # required for cosign
+env:
+  AQUA_POLICY_CONFIG: ${{ github.workspace }}/aqua-policy.yaml
 jobs:
   build:
     runs-on: ubuntu-latest
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: write # required to create a release
+      id-token: write # required for cosign
     steps:
       - name: Checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Go
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
-          go-version: "1.19.3"
+          go-version: "1.19.4"
+      - uses: aquaproj/aqua-installer@61e2563dfe7674cbf74fe6ec212e444198a3bb00 # v2.0.2
+        with:
+          aqua_version: v1.30.1
+      - run: cosign version
       - name: Run GoReleaser
+        id: run-goreleaser
         uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
         with:
-          version: latest
-          args: release --rm-dist --skip-publish
+          version: v1.14.1 # renovate: depName=goreleaser/goreleaser
+          args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ github.token }}
-      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3
-        with:
-          name: artifacts
-          path: |
-            dist/*.tar.gz
-            dist/*.sig
-            dist/*.pem
-            dist/*_checksums.txt
-      - name: Generate hashes
+      - name: Generate subject
         id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
         run: |
-          # sha256sum generates sha256 hash for all artifacts.
-          # base64 -w0 encodes to base64 and outputs on a single line.
-          # sha256sum artifact1 artifact2 ... | base64 -w0
-          echo "hashes=$(find dist -name "*.tar.gz" -print0 | xargs -0 sha256sum | base64 -w0)" >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
 
   provenance:
     needs: [build]
@@ -54,27 +54,4 @@ jobs:
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       # Upload provenance to a new release
-      upload-assets: false
-
-  release:
-    needs: [provenance]
-    runs-on: ubuntu-latest
-    steps:
-      - run: mkdir -p dist/artifacts dist/provenance
-      - name: Download the provenance
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3
-        with:
-          name: ${{ needs.provenance.outputs.provenance-name }}
-          path: dist/provenance/${{ needs.provenance.outputs.provenance-name }}
-      - name: Download artifacts
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3
-        with:
-          name: artifacts
-          path: dist/artifacts
-
-      - name: Release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
-        with:
-          prerelease: true
-          files: |
-            dist/**/*
+      upload-assets: true
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 48d8805..8b596d9 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -17,4 +17,21 @@ builds:
 archives:
   - name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
 release:
-  draft: true # we update release note manually before releasing
+  prerelease: true # we update release note manually before releasing
+signs:
+  - cmd: cosign
+    artifacts: checksum
+    signature: ${artifact}.sig
+    certificate: ${artifact}.pem
+    output: true
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    args:
+      - sign-blob
+      - --output-signature
+      - ${signature}
+      - --output-certificate
+      - ${certificate}
+      - --oidc-provider
+      - github
+      - ${artifact}
diff --git a/aqua-policy.yaml b/aqua-policy.yaml
new file mode 100644
index 0000000..650fc02
--- /dev/null
+++ b/aqua-policy.yaml
@@ -0,0 +1,8 @@
+---
+# aqua Policy
+# https://aquaproj.github.io/docs/tutorial-extras/policy-as-code
+registries:
+  - type: standard
+    ref: semver(">= 3.0.0")
+packages:
+  - registry: standard
diff --git a/aqua.yaml b/aqua.yaml
new file mode 100644
index 0000000..31731d8
--- /dev/null
+++ b/aqua.yaml
@@ -0,0 +1,14 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+# checksum:
+#   # https://aquaproj.github.io/docs/reference/checksum/
+#   enabled: true
+#   require_checksum: true
+#   supported_envs:
+#   - all
+registries:
+  - type: standard
+    ref: v3.116.0 # renovate: depName=aquaproj/aqua-registry
+packages:
+  - name: sigstore/cosign@v1.13.1
diff --git a/renovate.json b/renovate.json
index 559249f..9a9265e 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,6 +2,7 @@
   "extends": [
     "config:base",
     "helpers:pinGitHubActionDigests",
+    "github>aquaproj/aqua-renovate-config#1.5.0",
     "github>suzuki-shunsuke/renovate-config"
   ],
   "packageRules": [