diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 1067ce2..648db8a 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
 
     env:
       DOCKER_IMAGE: ghcr.io/zazuko/stardog
@@ -20,6 +21,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -56,3 +60,16 @@ jobs:
           labels: ${{ steps.docker_meta.outputs.labels }}
           platforms: |
             linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.docker_build.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index efa26df..3a6094b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,6 +13,9 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
       # This allow GitHub Actions to trigger the jobs for tags if needed
       - name: Generate token