From 12fd4d119428cd43f62b2b26133085c5a8f41ab4 Mon Sep 17 00:00:00 2001
From: Sebastian Noe <github@snoe.me>
Date: Mon, 11 May 2026 20:22:14 +0200
Subject: [PATCH] fix(ci): correct SHA pins for cosign-installer and
 sbom-action (#6)

- cosign-installer: use v3.9.2 (d58896d6a186...)
- sbom-action: use v0.18.0 (f325610c9f50...)

Co-authored-by: Sebastian Noe <sebastian.schneider@boxine.de>
---
 .github/workflows/docker-publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index dd5b519e..624491f4 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -67,13 +67,13 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@3454372be43e8dd44c6a73b22b8f0b4c0d0c4f8e # v3.8.2
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
 
       - name: Sign image with cosign
         run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
 
       - name: Generate SBOM
-        uses: anchore/sbom-action@fc73183ea2a8c7b2c8e54ba5b67b0c8b67e89ef5 # v0.18.0
+        uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
         with:
           image: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}