diff --git a/action.yml b/action.yml
index 6c70ad8..7f04e49 100644
--- a/action.yml
+++ b/action.yml
@@ -22,7 +22,7 @@ runs:
 
         bootstrap_version='v1.2.0'
         expected_bootstrap_version_digest='690e9d6220aa715b61e332a0efefb60f4f4889cb8c0d0195d28a406425d617f0'
-        curl -L https://storage.googleapis.com/cosign-releases/${bootstrap_version}/cosign-linux-amd64 -o cosign
+        curl -L https://github.com/sigstore/cosign/releases/download/${bootstrap_version}/cosign-linux-amd64 -o cosign
         shaBootstrap=$(sha256sum cosign | cut -d' ' -f1);
         if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then exit 1; fi
         chmod +x cosign
@@ -40,9 +40,9 @@ runs:
 
         # Download custom cosign
         if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
-          curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
+          curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
         else
-          curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
+          curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
         fi
         shaCustom=$(sha256sum cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);