diff --git a/.goreleaser.yml b/.goreleaser.yml
index cd4e19a38..f5b61692b 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -11,6 +11,10 @@ before:
   hooks:
     - go mod tidy
     - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+# if running a release we will generate the images in this step
+# if running in the CI the CI env va is set by github action runner and we dont run the ko steps
+# this is needed because we are generating files that goreleaser was not aware to push to GH project release
+    - /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi'
 
 gomod:
   proxy: true
@@ -109,3 +113,6 @@ release:
     name: rekor
   footer: |
     ### Thanks for all contributors!
+
+  extra_files:
+    - glob: "./rekor*.yaml"
diff --git a/Makefile b/Makefile
index 846795f4b..7ef6c29cc 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,7 @@ RUNTIME_IMAGE ?= gcr.io/distroless/static
 # Set version variables for LDFLAGS
 GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 GIT_HASH ?= $(shell git rev-parse HEAD)
+GIT_TAG ?= dirty-tag
 DATE_FMT = +'%Y-%m-%dT%H:%M:%SZ'
 SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
 ifdef SOURCE_DATE_EPOCH
@@ -44,6 +45,7 @@ endif
 
 KO_PREFIX ?= gcr.io/projectsigstore
 export KO_DOCKER_REPO=$(KO_PREFIX)
+REKOR_YAML ?= rekor-$(GIT_TAG).yaml
 
 # Binaries
 SWAGGER := $(TOOLS_BIN_DIR)/swagger
@@ -111,13 +113,13 @@ debug:
 ko:
 	# rekor-server
 	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko resolve --base-import-paths \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
-		github.com/sigstore/rekor/cmd/rekor-server
+		--filename config/ > $(REKOR_YAML)
 
 	# rekor-cli
 	LDFLAGS="$(CLI_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/sigstore/rekor/cmd/rekor-cli
 
@@ -136,12 +138,12 @@ sign-keyless-ci: ko
 .PHONY: ko-local
 ko-local:
 	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths \
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
 		github.com/sigstore/rekor/cmd/rekor-server
 
 	LDFLAGS="$(CLI_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths \
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
 		github.com/sigstore/rekor/cmd/rekor-cli
 
@@ -149,10 +151,10 @@ ko-local:
 .PHONY: ko-trillian
 ko-trillian:
 	LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/google/trillian/cmd/trillian_log_signer
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/google/trillian/cmd/trillian_log_server
 
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
index a83d4bd54..1402f98c6 100644
--- a/release/cloudbuild.yaml
+++ b/release/cloudbuild.yaml
@@ -97,6 +97,7 @@ artifacts:
     paths:
     - "go/src/sigstore/rekor/dist/rekor*"
     - "go/src/sigstore/rekor/release/release-cosign.pub"
+    - "go/src/sigstore/rekor/rekor*.yaml"
 
 options:
   machineType: E2_HIGHCPU_8