diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b12991b..7922da3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -85,10 +85,18 @@ jobs:
 
       # This will only write to the public Rekor transparency log when the Docker
       # repository is public to avoid leaking data. https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
+      - name: Sign the published Dockerhub image
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign ${{ steps.docker_meta.outputs.tags }}@${{ steps.docker_build.outputs.digest }}
\ No newline at end of file
+        run: cosign sign -a "repo=${{ github.repository }}" -r ${{ secrets.DOCKER_HUB_USERNAME }}/k8s-pvc-tagger@${{ steps.docker_build.outputs.digest }}
+
+      - name: Sign the published GitHub image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign -a "repo=${{ github.repository }}" -r ghcr.io/${{ github.repository_owner }}/k8s-pvc-tagger@${{ steps.docker_build.outputs.digest }}