diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ee7b750..8dd8d93 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -136,16 +136,14 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
 
+      # via <https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml>
       - name: Sign image
         env:
-          IMAGES: ${{ needs.build.outputs.image-tags }}
+          # <https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable>
+          TAGS: ${{ needs.build.outputs.image-tags }}
           DIGEST: ${{ needs.build.outputs.image-digest }}
-          COSIGN_EXPERIMENTAL: "true"
         run: |
-          while read -r image; do
-            echo "Signing '$image' using keyless approach"
-            cosign sign "$image@$DIGEST"
-          done <<< "$IMAGES"
+          echo "${TAGS}" | xargs -I {} cosign sign --yes {}@"${DIGEST}"
 
   container-provenance:
     if: ${{ startsWith(github.ref, 'refs/tags/') }}