diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 00000000..9bd33bca
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,81 @@
+---
+name: release
+
+on:
+  push:
+    tags: ["*"]
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: version
+        run: echo "version=$(/usr/bin/basename ${{ github.ref }})" >> $GITHUB_OUTPUT
+        id: version
+
+      - name: release
+        uses: actions/create-release@v1
+        id: create_release
+        with:
+          draft: false
+          prerelease: false
+          release_name: ${{ steps.version.outputs.version }}
+          tag_name: ${{ github.ref }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Package
+        uses: a7ul/tar-action@v1.1.2
+        with:
+          files: .
+          command: c
+          outPath: ${{ steps.version.outputs.version }}.tar.gz
+
+      - name: Sign release with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v0.0.9
+        with:
+          inputs: ${{ steps.version.outputs.version }}.tar.gz
+          release-signing-artifacts: true
+          upload-signing-artifacts: true
+
+      - name: upload signed asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ${{ steps.version.outputs.version }}.tar.gz
+          asset_name: ${{ steps.version.outputs.version }}.tar.gz
+          asset_content_type: application/gzip
+
+      - name: upload sigstore certificate
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ${{ steps.version.outputs.version }}.tar.gz.crt
+          asset_name: ${{ steps.version.outputs.version }}.tar.gz.crt
+          asset_content_type: application/x-x509-ca-cert
+
+      - name: upload sigstore signature
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ${{ steps.version.outputs.version }}.tar.gz.sig
+          asset_name: ${{ steps.version.outputs.version }}.tar.gz.sig
+          asset_content_type: application/octet-stream
+
+      - name: Build and Deploy Collection
+        uses: 0x022b/galaxy-role-import-action@1.0.0
+        with:
+          galaxy_api_key: "${{ secrets.ANSIBLE_GALAXY_TOKEN }}"
diff --git a/ChangeLog b/ChangeLog
index 694e6d59..1c6437df 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,9 @@
 ** Calling process PID is now used as the `task_id` attribute in TACACS+ accounting session. This replaces 
    an overengineered cryptographically random tasks identifiers.
 
+1.6.2
+* SigStore signed releases
+
 1.6.1
 * Fixed security issue (CVE-2020-27743) which could result in packet encryption operate uninitialized in case of RAND_bytes() failure