diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e5b1008913..9b695e0cb4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -8,6 +8,37 @@ permissions:
   contents: "write"
   packages: "write"
 jobs:
+  goreleaser-windows:
+    runs-on: "windows-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+        with:
+          fetch-depth: 0
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "nowsprinting/check-version-format-action@v4"
+        id: "version"
+        with:
+          prefix: "v"
+      - name: "Fail for an invalid version (windows)"
+        if: "${{ !startsWith(github.ref_name, 'v') || steps.version.outputs.is_valid != 'true' }}"
+        run: 'echo "SpiceDB version must start with `v` and be a semver" && exit 1'
+        shell: "bash"
+      - uses: "authzed/actions/docker-login@main"
+        with:
+          quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"
+          github_token: "${{ secrets.GITHUB_TOKEN }}"
+          dockerhub_token: "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}"
+      - uses: "docker/setup-qemu-action@v3"
+      - uses: "docker/setup-buildx-action@v3"
+      - uses: "goreleaser/goreleaser-action@v6"
+        with:
+          distribution: "goreleaser-pro"
+          version: "latest"
+          args: "release --clean --config=.goreleaser.windows.yml"
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+          CHOCOLATEY_API_KEY: "${{ secrets.CHOCOLATEY_API_KEY }}"
   goreleaser:
     runs-on: "buildjet-4vcpu-ubuntu-2204"
     steps:
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 66d084b4cc..53e8f2bba8 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -16,7 +16,7 @@ env:
 jobs:
   codeql:
     name: "CodeQL Analyze"
-    if: "${{ github.event_name == 'pull_request' }}"  # workaround to https://github.com/github/codeql-action/issues/1537
+    if: "${{ github.event_name == 'pull_request' }}" # workaround to https://github.com/github/codeql-action/issues/1537
     runs-on: "buildjet-8vcpu-ubuntu-2204"
     timeout-minutes: "${{ (matrix.language == 'swift' && 120) || 360 }}"
     permissions:
@@ -67,18 +67,12 @@ jobs:
           format: "table"
           exit-code: "1"
           severity: "CRITICAL,HIGH,MEDIUM"
-      # Workaround until goreleaser release supports --single-target
-      # makes the build faster by not building everything
-      - name: "modify goreleaser config to skip building all targets"
-        run: |
-          echo "partial:
-            by: target" >> .goreleaser.yml
       - uses: "goreleaser/goreleaser-action@v6"
         id: "goreleaser"
         with:
           distribution: "goreleaser-pro"
           version: "latest"
-          args: "release --clean --split --snapshot"
+          args: "release --clean --split --snapshot --single-target --skip=chocolatey"
         env:
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
       - name: "Obtain container image to scan"
diff --git a/.goreleaser.windows.yml b/.goreleaser.windows.yml
new file mode 100644
index 0000000000..7afe272930
--- /dev/null
+++ b/.goreleaser.windows.yml
@@ -0,0 +1,55 @@
+---
+git:
+  tag_sort: "-version:creatordate"
+  prerelease_suffix: "-"
+before:
+  hooks:
+    - "go run mage.go gen:completions"
+builds:
+  - main: "./cmd/spicedb"
+    env:
+      - "CGO_ENABLED=0"
+    goos:
+      - "windows"
+    goarch:
+      - "amd64"
+      - "arm64"
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    ldflags:
+      - "-s -w"
+      - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
+archives:
+  - files:
+      - "README.md"
+      - "LICENSE"
+      - "completions/*"
+    format_overrides:
+      - goos: "windows"
+        format: "zip"
+chocolateys:
+  - name: "spicedb"
+    package_source_url: "https://github.com/authzed/spicedb"
+    owners: "AuthZed, Inc"
+    title: "SpiceDB"
+    project_url: "https://github.com/authzed/spicedb"
+    use: "archive"
+    url_template: "https://github.com/authzed/spicedb/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+    icon_url: "https://authzed.com/favicon.svg"
+    copyright: "2024 AuthZed, Inc"
+    license_url: "https://github.com/authzed/spicedb/blob/main/LICENSE"
+    project_source_url: "https://github.com/authzed/spicedb"
+    docs_url: "https://authzed.com/docs"
+    bug_tracker_url: "https://github.com/authzed/spicedb/issues"
+    tags: "spicedb zanzibar authz rebac rbac abac fga"
+    summary: "SpiceDB is a graph database purpose-built for storing and evaluating access control data."
+    description: |
+      Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications
+    release_notes: "https://github.com/authzed/spicedb/releases/tag/v{{ .Version }}"
+    api_key: "{{ .Env.CHOCOLATEY_API_KEY }}"
+    source_repo: "https://push.chocolatey.org/"
+checksum:
+  name_template: "checksums.txt"
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+nightly:
+  name_template: "{{ incpatch .Version }}-{{ .ShortCommit }}"
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 640d8d0f8c..37fffa6b0a 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -11,7 +11,6 @@ builds:
       - "CGO_ENABLED=0"
     goos:
       - "linux"
-      - "windows"
       - "darwin"
     goarch:
       - "amd64"