diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 9854cc3..36a8358 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   goreleaser:
     # deploy with the correct environment to allow DockerHub access
-    environment: "Publish"
+    environment: 'Publish'
 
     runs-on: ubuntu-latest
     steps:
@@ -39,8 +39,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: '${{ vars.DOCKERHUB_USER }}'
+          password: '${{ secrets.DOCKERHUB_TOKEN }}'
 
       - name: Release
         uses: goreleaser/goreleaser-action@v5
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 717fad8..07488c4 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -23,12 +23,13 @@ builds:
 # If you do this locally, sign with an OAuth identity you don't mind being permanently
 # published to a transparency log.
 binary_signs:
-  - cmd: './ci-only.sh'
+  - signature: '${artifact}.cosign.bundle'
+    cmd: './ci-only.sh'
     args:
       - "cosign"
       - "sign-blob"
       - "${artifact}"
-      - "--bundle=${artifact}.cosign.bundle"
+      - "--bundle=${signature}"
       - "--yes" # needed on cosign 2.0.0+
     output: false # the necessary output is the .cosign.bundle file