From 8683a62b4b927c91bf404ba6a6f4129c22d7b328 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Sat, 16 May 2026 16:34:40 +0200
Subject: [PATCH] fix(security): update cosign to v3.0.6 and installer to 4.1.2

Updated cosign installer to version 4.1.2 and specified cosign release version 3.0.6.
---
 .github/workflows/cicd.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 9e26ede..dce3b13 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -107,8 +107,9 @@ jobs:
         shell: bash
 
       - name: Install cosign
-        # cosign is used to sign and verify container images (key and keyless)
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+        with:
+          cosign-release: v3.0.6
 
       - name: Dual-sign and verify (GHCR & Docker Hub)
         # Sign each image by digest using keyless (OIDC) and key-based signing,