diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 2a2d2da..409c8ca 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -51,4 +51,7 @@ jobs:
     needs: auto-tag
     uses: ./.github/workflows/release.yml
     permissions: write-all
-    secrets: inherit
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4192cb1..a897c05 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,6 +2,13 @@ name: Release
 
 on:
   workflow_call:
+    secrets:
+      RELEASE_TOKEN:
+        required: true
+      GPG_PRIVATE_KEY:
+        required: false
+      PASSPHRASE:
+        required: false
   push:
     tags:
       - "v*"
@@ -38,7 +45,7 @@ jobs:
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
-        if: ${{ env.GPG_PRIVATE_KEY != '' }}
+        if: ${{ secrets.GPG_PRIVATE_KEY != '' }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 791cd44..690aaf4 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -95,3 +95,12 @@ release:
 
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
+
+signs:
+  - cmd: gpg
+    args:
+      - "--output"
+      - "${signature}"
+      - "--detach-sign"
+      - "${artifact}"
+    artifacts: checksum