The OpenSSF Best Practices Badge suggests signing release artifacts. Consider using OpenEXR's release-sign.yml workflow as a template. It's triggered on release creation and does these steps:
Runs get archive to generate a <release>.tar.gz artifact
Uploads the resulting sigstore signature file along with the tarball.
It looks like your release process already involves generating explicit tarballs, so your signing workflow won't need that step, but it will need to run sigstore on each of the artifacts.
The OpenSSF Best Practices Badge suggests signing release artifacts. Consider using OpenEXR's release-sign.yml workflow as a template. It's triggered on release creation and does these steps:
get archiveto generate a<release>.tar.gzartifact<release>.tar.gzvia sigstoreIt looks like your release process already involves generating explicit tarballs, so your signing workflow won't need that step, but it will need to run sigstore on each of the artifacts.