diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bf3d4a2..ee4192d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,22 +14,3 @@ jobs:
   markup-lint:
     name: Markup
     uses: ./.github/workflows/reusable-markup-lint.yml
-
-  validate-cosign:
-    name: Validate / Cosign
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone repository
-        uses: actions/checkout@v6
-      - name: Pull Alpine image
-        run: docker pull ghcr.io/linuxcontainers/alpine:latest
-      - name: Cosign Alpine image (read-only)
-        uses: ./actions/cosign/sign
-        with:
-          image-name: 'alpine'
-          image-path: 'ghcr.io/linuxcontainers'
-          image-tag: 'latest'
-          readonly: 'true'
-    permissions:
-      id-token: write
-      contents: read
diff --git a/.github/workflows/reusable-container-publication.yml b/.github/workflows/reusable-container-publication.yml
index f0547d6..c82fc17 100644
--- a/.github/workflows/reusable-container-publication.yml
+++ b/.github/workflows/reusable-container-publication.yml
@@ -108,18 +108,18 @@ jobs:
           ref: ${{ inputs.workflow-parts-version }}
           path: workflow-parts
       - name: Login to container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
         with:
           registry: ${{ inputs.container-registry }}
           username: ${{ secrets.container-registry-username }}
           password: ${{ secrets.container-registry-password }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
       - name: Build and push container image
         id: build-push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
         with:
           context: ${{ inputs.working-directory }}
           file: ${{ inputs.image-definition }}
diff --git a/actions/cosign/sign/action.yml b/actions/cosign/sign/action.yml
index 7fe39b6..3316f46 100644
--- a/actions/cosign/sign/action.yml
+++ b/actions/cosign/sign/action.yml
@@ -56,7 +56,9 @@ runs:
     - name: Get image digest
       id: digest
       run: |
-        DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }} | cut -d'@' -f2)
+        DIGEST=$(docker buildx imagetools inspect \
+          ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }} \
+          --format '{{json .Manifest}}' | jq -r '.digest')
         echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
       shell: bash
     - name: Sign image with Cosign