diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8d8664c26..0f8a61dd2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -96,22 +96,22 @@ jobs:
           COSIGN_EXPERIMENTAL: 1
         run: |
           helm package charts/flagger
-          digest = $(helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts | awk '/Digest:/ {print $2}' | tr -d '\n' | xargs)
-          cosign sign --yes ghcr.io/fluxcd/charts/flagger@${{ digest }}
+          echo "DIGEST=$(helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts | awk '/Digest:/ {print $2}' | tr -d '\n' | xargs)" >> $GITHUB_ENV
+          cosign sign --yes ghcr.io/fluxcd/charts/flagger@$DIGEST
           rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
       - name: Publish signed manifests to GHCR
         if: startsWith(github.ref, 'refs/tags/v')
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          digest_url = $(flux push artifact \
+          echo "DIGEST_URL=$(flux push artifact \
             oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
             --path="./kustomize" \
             --source="$(git config --get remote.origin.url)" \
             --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
             --output json | \
-            jq -r '. | .repository + "@" + .digest')
-          cosign sign --yes ${{ digest_url }}
+            jq -r '. | .repository + "@" + .digest')" >> $GITHUB_ENV
+          cosign sign --yes $DIGEST_URL
       - uses: anchore/sbom-action/download-syft@v0
       - name: Create release and SBOM
         id: run-goreleaser