diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index b95e864c8d2c038d19110bbbcc176d1dac566187..2012a4d76ebd72cfdf0ef465236d08a1f019bfd0 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -103,9 +103,9 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+        uses: sigstore/cosign-installer@v3.3.0
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: 'v2.2.2'
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker