diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e961ef1..5624e4c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -71,9 +71,12 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
 
       - name: Sign image with a key
+        # https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
         run: |
-          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ env.IMAGE_REGISTRY }}/${{ steps.build_image.outputs.image }}@${DIGEST}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${REGISTRY}/${NAME}@${DIGEST}
         env:
+          REGISTRY: ${{ env.IMAGE_REGISTRY }}
+          NAME: ${{ steps.build_image.outputs.image }}
           DIGEST: ${{ steps.push.outputs.digest }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}