diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 533d149..ff6d9a4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,30 +3,39 @@ name: Release
 on:
   push:
     branches: [ "master" ]
+    # Publish semver tags as releases.
     tags: [ 'v*.*.*' ]
   workflow_dispatch:
 
 env:
+  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio
       id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      # Install the cosign tool
+      # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         uses: sigstore/cosign-installer@v3.1.2
 
+      # https://github.com/docker/setup-buildx-action
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v3
 
+      # https://github.com/docker/login-action
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
@@ -34,6 +43,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # https://github.com/docker/login-action
       - name: Login to docker hub
         uses: docker/login-action@v1
         with:
@@ -41,6 +51,8 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -49,6 +61,8 @@ jobs:
             ghcr.io/${{ env.IMAGE_NAME }}
             ${{ env.IMAGE_NAME }}
 
+      # Build and push Docker image with Buildx
+      # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
         uses: docker/build-push-action@v5
@@ -61,27 +75,27 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      # Update Docker Hub repository description from README.md
+      # https://github.com/peter-evans/dockerhub-description
       - name: Update docker hub description
         uses: peter-evans/dockerhub-description@v3.4.2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
+      # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
-        run: |
-          IMAGE_TAGS="${{ steps.meta.outputs.tags }}"
-          DIGEST="${{ steps.build-and-push.outputs.digest }}"
-          for TAG in $IMAGE_TAGS; do
-            cosign sign --yes "$TAG@$DIGEST"
-          done
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: >
+          echo "${{ steps.meta.outputs.tags }}" | xargs -I {}
+          cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
 
       - name: Verify the signature of the published Docker image
         env:
           IDENTITY: "https://github.com/khulnasoft/deployflow/.github/workflows/release.yml@.*"
-          OIDC_ISSUER: "https://token.actions.githubusercontent.com"
-        run: |
-          IMAGE_TAGS="${{ steps.meta.outputs.tags }}"
-          DIGEST="${{ steps.build-and-push.outputs.digest }}"
-          for TAG in $IMAGE_TAGS; do
-            cosign verify "$TAG@$DIGEST" --certificate-identity-regexp=$IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER
-          done
+          OIDC_ISSUER: https://token.actions.githubusercontent.com
+        run: >
+          echo "${{ steps.meta.outputs.tags }}" | xargs -I {}
+          cosign verify {}@${{ steps.build-and-push.outputs.digest }}
+          --certificate-identity-regexp=$IDENTITY --certificate-oidc-issuer=$OIDC_ISSUER