diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d81f8c2..9336c0e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -132,7 +132,7 @@ jobs:
 
       # ── Smoke test ──────────────────────────────────────────────────────────
       - name: Install cosign
-        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
 
       - name: Sign Docker images (keyless Sigstore)
         run: |
@@ -276,7 +276,7 @@ jobs:
           output-file: nora-${{ github.ref_name }}.sbom.cdx.json
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
 
       - name: Sign binary with cosign (keyless Sigstore)
         run: cosign sign-blob --yes --output-signature nora-linux-amd64.sig --output-certificate nora-linux-amd64.pem ./nora-linux-amd64