diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml
index 69e95bcb8f4..1d3964f3648 100644
--- a/.github/workflows/publishimage.yml
+++ b/.github/workflows/publishimage.yml
@@ -22,7 +22,7 @@ permissions:
 on:
   push:
     branches:
-    - main
+      - main
 env:
   GO_VERSION: 1.17.7
 
@@ -30,22 +30,24 @@ jobs:
   unit-test:
     name: publishimage
     runs-on: ubuntu-latest
+    env:
+      COSIGN_EXPERIMENTAL: "true"
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1
+       uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - name: Clone the code
-       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4
+       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b 
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+       uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: install ko
-       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
+       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675
      - name: publishimage
        uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
        with:
@@ -56,3 +58,8 @@ jobs:
             go env -w GOFLAGS=-mod=mod
             make install
             make scorecard-ko
+     - name: Install Cosign
+       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656
+     - name: Sign image
+       run: |
+          cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}