diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9f77867..02eea88 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -100,7 +100,7 @@ jobs:
       packages: write
       id-token: write     # OIDC token for keyless signing
     steps:
-      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
@@ -146,7 +146,7 @@ jobs:
           image: ${{ env.IMAGE }}:${{ needs.preflight.outputs.version }}
           format: spdx-json
           output-file: valkey-operator-${{ needs.preflight.outputs.tag }}.spdx.json
-      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: cosign sign-blob (SBOM)
         env:
           COSIGN_EXPERIMENTAL: "1"
@@ -201,7 +201,7 @@ jobs:
         run: |
           mkdir -p out
           helm package charts/valkey-operator -d out/
-      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: cosign sign-blob (chart .tgz)
         env:
           COSIGN_EXPERIMENTAL: "1"