diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml
index 2e33383..7b8463e 100644
--- a/.github/workflows/cicd.yaml
+++ b/.github/workflows/cicd.yaml
@@ -54,27 +54,67 @@ jobs:
 
     deploy:
         runs-on: ubuntu-latest
-        needs: [build]
+        needs: [ build ]
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
         steps:
-            - name: Checkout code
-              uses: actions/checkout@v3
+            -   name: Checkout code
+                uses: actions/checkout@v3.5.2
+                with:
+                    fetch-depth: 1
 
-            - name: 'Login to github packages'
-              uses: docker/login-action@v1
-              with:
-                  registry: ${{ env.GITHUB_REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
+            -   name: Install Cosign
+                uses: sigstore/cosign-installer@v3.5.0
 
-            - name: Download build artifact
-              uses: actions/download-artifact@v2
-              with:
-                  name: valtimo-backend-build
+            -   name: Set up QEMU
+                uses: docker/setup-qemu-action@v2.1.0
 
-            - name: Build and push Docker image
-              uses: docker/build-push-action@v2
-              with:
-                  file: Dockerfile
-                  context: .
-                  push: true
-                  tags: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }}
+            -   name: Set up Docker Buildx
+                uses: docker/setup-buildx-action@v2.5.0
+
+            -   name: Download dist artifact
+                uses: actions/download-artifact@v2
+                with:
+                    name: valtimo-backend-build
+
+            -   name: 'Login to github packages'
+                uses: docker/login-action@v1
+                with:
+                    registry: ${{ env.GITHUB_REGISTRY }}
+                    username: ${{ github.actor }}
+                    password: ${{ secrets.GITHUB_TOKEN }}
+
+            -   id: docker_meta
+                uses: docker/metadata-action@v4.4.0
+                with:
+                    images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}
+                    tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }}
+
+            -   name: Build and push Docker image
+                uses: docker/build-push-action@v4.0.0
+                id: build-and-push
+                with:
+                    file: Dockerfile
+                    context: .
+                    push: true
+                    tags: ${{ steps.docker_meta.outputs.tags }}
+
+            -   name: Sign the images with GitHub OIDC Token
+                env:
+                    DIGEST: ${{ steps.build-and-push.outputs.digest }}
+                    TAGS: ${{ steps.docker_meta.outputs.tags }}
+                run: |
+                    images=""
+                    for tag in ${TAGS}; do
+                      images+="${tag}@${DIGEST} "
+                    done
+                    cosign sign --yes ${images}
+
+            -   name: Verify the images
+                run: |
+                    branch=${GITHUB_REF##*/}
+                    cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \
+                       --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \
+                       --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq