diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index aac9dd1..ca07797 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -90,7 +90,7 @@ jobs:
         uses: actions/checkout@v4
 
       # Confirm that cosign.pub matches SIGNING_SECRET
-      - uses: sigstore/cosign-installer@v3.2.0
+      - uses: sigstore/cosign-installer@v3.3.0
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
 
       - name: Check SIGNING_SECRET matches cosign.pub
@@ -112,7 +112,7 @@ jobs:
           fi
 
       - name: Add yq (for reading recipe.yml)
-        uses: mikefarah/yq@v4.40.4
+        uses: mikefarah/yq@v4.40.5
 
       - name: Gather image data from recipe
         run: |