diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b209b4c..26f2f07 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -415,7 +415,7 @@ jobs: # Sign by digest (not tag) to guarantee we sign exactly what was pushed. - name: Install Cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign container image with Cosign if: github.event_name != 'pull_request' @@ -871,7 +871,7 @@ jobs: if-no-files-found: error - name: Install Cosign - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Log in to GHCR (for cosign attest) uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0