diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index d73b510e5df..7c2a9f08c6d 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -50,9 +50,11 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: "~1.17.1"
+          # The version is pinned not only for security purposes, but also to avoid breaking
+          # our scripts, which rely on the specific file names generated by GoReleaser.
+          version: v2.13.1
           install-only: true
       - name: Build release binaries
         env:
@@ -103,9 +105,11 @@ jobs:
           security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "$keychain_password" "$keychain"
           rm "$RUNNER_TEMP/cert.p12"
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: "~1.17.1"
+          # The version is pinned not only for security purposes, but also to avoid breaking
+          # our scripts, which rely on the specific file names generated by GoReleaser.
+          version: v2.13.1
           install-only: true
       - name: Build release binaries
         env:
@@ -157,9 +161,11 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: "~1.17.1"
+          # The version is pinned not only for security purposes, but also to avoid breaking
+          # our scripts, which rely on the specific file names generated by GoReleaser.
+          version: v2.13.1
           install-only: true
       - name: Install Azure Code Signing Client
         shell: pwsh
@@ -207,7 +213,7 @@ jobs:
             MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
             case "$MSI_NAME" in
             *_386 )
-              source_dir="$PWD/dist/windows_windows_386"
+              source_dir="$PWD/dist/windows_windows_386_sse2"
               platform="x86"
               ;;
             *_amd64 )
@@ -215,7 +221,7 @@ jobs:
               platform="x64"
               ;;
             *_arm64 )
-              source_dir="$PWD/dist/windows_windows_arm64"
+              source_dir="$PWD/dist/windows_windows_arm64_v8.0"
               platform="arm64"
               ;;
             * )
@@ -309,9 +315,10 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-path: "dist/gh_*"
+          create-storage-record: false # (default: true)
       - name: Run createrepo
         env:
           GPG_SIGN: ${{ inputs.environment == 'production' }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 23a8d24727e..15f5c2f1244 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,5 @@
+version: 2
+
 project_name: gh
 
 release:
@@ -28,7 +30,7 @@ builds:
 
   - id: linux #build:linux
     goos: [linux]
-    goarch: [386, arm, amd64, arm64]
+    goarch: ["386", arm, amd64, arm64]
     env:
       - CGO_ENABLED=0
     binary: bin/gh
@@ -38,7 +40,7 @@ builds:
 
   - id: windows #build:windows
     goos: [windows]
-    goarch: [386, amd64, arm64]
+    goarch: ["386", amd64, arm64]
     hooks:
       post:
         - cmd: pwsh .\script\sign.ps1 '{{ .Path }}'
@@ -50,34 +52,32 @@ builds:
 
 archives:
   - id: linux-archive
-    builds: [linux]
+    ids: [linux]
     name_template: "gh_{{ .Version }}_linux_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
     wrap_in_directory: true
-    format: tar.gz
-    rlcp: true
+    formats: [tar.gz]
     files:
       - LICENSE
       - ./share/man/man1/gh*.1
   - id: macos-archive
-    builds: [macos]
+    ids: [macos]
     name_template: "gh_{{ .Version }}_macOS_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
     wrap_in_directory: true
-    format: zip
-    rlcp: true
+    formats: [zip]
     files:
       - LICENSE
       - ./share/man/man1/gh*.1
   - id: windows-archive
-    builds: [windows]
+    ids: [windows]
     name_template: "gh_{{ .Version }}_windows_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
     wrap_in_directory: false
-    format: zip
-    rlcp: true
+    formats: [zip]
     files:
       - LICENSE
 
 nfpms: #build:linux
-  - license: MIT
+  - ids: [linux]
+    license: MIT
     maintainer: GitHub
     homepage: https://github.com/cli/cli
     bindir: /usr
diff --git a/script/pkgmacos b/script/pkgmacos
index a5c9134f107..fed11c99f57 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -58,7 +58,7 @@ fi
 
 # gh-binary paths
 bin_path="/bin/gh"
-arm64_bin="./dist/macos_darwin_arm64$bin_path"
+arm64_bin="./dist/macos_darwin_arm64_v8.0$bin_path"
 amd64_bin="./dist/macos_darwin_amd64_v1$bin_path"
 # payload paths
 payload_root="pkg_payload"
diff --git a/script/release b/script/release
index 23bfb056b88..a3f19016d7d 100755
--- a/script/release
+++ b/script/release
@@ -94,7 +94,7 @@ build_local() {
     ;;
   esac
   [ -z "$tag_name" ] || export GORELEASER_CURRENT_TAG="$tag_name"
-  announce goreleaser release -f "$goreleaser_config" --clean --skip-validate --skip-publish --release-notes="$(mktemp)"
+  announce goreleaser release -f "$goreleaser_config" --clean --skip validate,publish,announce --release-notes="$(mktemp)"
 }
 
 if [ -n "$is_local" ]; then