diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index a70a60723..d80b7a93d 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -62,6 +62,7 @@ jobs:
         run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
 
       - name: Build
+        id: build
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4
         with:
           builder: ${{ steps.buildx.outputs.name }}
@@ -77,13 +78,20 @@ jobs:
             VERSION=${{ needs.release-please.outputs.release_tag_name }}
             COMMIT=${{ github.sha }}
             DATE=${{ steps.date.outputs.date }}
+    outputs:
+      image_digest: ${{ steps.build.outputs.digest }}
 
+  container-signing:
+    needs: container-release
+    runs-on: ubuntu-latest
+    if: ${{ needs.release-please.outputs.release_created }}
+    steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65
 
       - name: Sign the image
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.release_tag_name }}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.container-release.outputs.image_digest }}
           cosign public-key --key env://COSIGN_PRIVATE_KEY --outfile ${{ env.PUBLIC_KEY_FILE }}
         env:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}