diff --git a/.github/workflows/obs.yml b/.github/workflows/obs.yml
index d3b1bae..ec6df48 100644
--- a/.github/workflows/obs.yml
+++ b/.github/workflows/obs.yml
@@ -76,7 +76,7 @@ jobs:
     name: bundle / build / ${{ inputs.revision || 'main' }} / ${{ matrix.arch }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       - run: scripts/bundle/build
         if: ${{ inputs.skip-bundles == false }}
         env:
@@ -130,7 +130,7 @@ jobs:
         if: ${{ inputs.skip-bundles == false && github.event_name != 'pull_request' }}
         with:
           credentials_json: ${{ secrets.GCS_CRIO_SA }}
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
         if: ${{ inputs.skip-bundles == false && github.event_name != 'pull_request' }}
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         if: ${{ inputs.skip-bundles == false && github.event_name != 'pull_request' }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c8cd266..ae1761c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       - run: make verify-get-script
       - name: Install BOM
         run: |