diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
index 6401f87..4c7946d 100644
--- a/.github/workflows/release-snapshot.yml
+++ b/.github/workflows/release-snapshot.yml
@@ -56,7 +56,7 @@ jobs:
 
       # cosign keyless signing (only exercised on same-repo PRs; fork
       # PRs skip via --skip=sign below).
-      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       # syft for CycloneDX SBOM emission per archive.
       - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a9dadb5..7e5c813 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -64,7 +64,7 @@ jobs:
 
       # cosign for keyless signing of checksums.txt (configured in
       # specter/.goreleaser.yml signs: block).
-      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       # syft for CycloneDX SBOM emission per archive (configured in
       # specter/.goreleaser.yml sboms: block).