Since you appear to be using goreleaser in your GH workflow, please consider tweaking your workflow to add SLSA3 provenance:

https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
https://github.blog/enterprise-software/devsecops/enhance-build-security-and-reach-slsa-level-3-with-github-artifact-attestations/