diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 02ceb18..a59582d 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -86,22 +86,29 @@ jobs:
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
       - name: Sign image with cosign
         env:
-          COSIGN_EXPERIMENTAL: 1
+          COSIGN_EXPERIMENTAL: "1"
+          TAGS: ${{ steps.meta.outputs.tags }}
+          GH_REPO: ${{ github.repository }}
+          GH_WORKFLOW: ${{ github.workflow }}
+          GH_SHA: ${{ github.sha }}
+          IMAGE_DIGEST: ${{ steps.image.outputs.digest }}
         run: |
-          IFS=',' read -ra TAGS <<< "${{ steps.meta.outputs.tags }}"
-          for tag in "${TAGS[@]}"; do
+          mapfile -t TAG_LIST <<< "$TAGS"
+          for tag in "${TAG_LIST[@]}"; do
             cosign sign \
-              -a "repo=${{ github.repository }}" \
-              -a "workflow=${{ github.workflow }}" \
-              -a "sha=${{ github.sha }}" \
+              -a "repo=${GH_REPO}" \
+              -a "workflow=${GH_WORKFLOW}" \
+              -a "sha=${GH_SHA}" \
               --yes \
-              "$tag"@${{ steps.image.outputs.digest }}
+              "${tag}@${IMAGE_DIGEST}"
           done
       - name: Extract first tag
         id: first-tag
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
         run: |
-          IFS=$'\n' read -ra TAGS <<< "${{ steps.meta.outputs.tags }}"
-          echo "tag=${TAGS[0]}" >> $GITHUB_OUTPUT
+          mapfile -t TAG_LIST <<< "$TAGS"
+          echo "tag=${TAG_LIST[0]}" >> "$GITHUB_OUTPUT"
       - name: Generate SBOM
         uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
         with:
diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml
index 34d76cb..be4dc51 100644
--- a/.github/workflows/helm-publish.yaml
+++ b/.github/workflows/helm-publish.yaml
@@ -53,27 +53,34 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to GHCR (Helm)
-        run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_ACTOR: ${{ github.actor }}
+        run: echo "$GH_TOKEN" | helm registry login ghcr.io -u "$GH_ACTOR" --password-stdin
 
       - name: Extract version from tag
         id: version
+        env:
+          GH_REF: ${{ github.ref }}
+          GH_REF_NAME: ${{ github.ref_name }}
+          GH_SHA: ${{ github.sha }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
-          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            VERSION=${GITHUB_REF_NAME#v}
-            echo "source=tag" >> $GITHUB_OUTPUT
+          if [[ "$GH_REF" == refs/tags/* ]]; then
+            VERSION="${GH_REF_NAME#v}"
+            echo "source=tag" >> "$GITHUB_OUTPUT"
           else
-            PR_NUMBER=${{ github.event.pull_request.number }}
-            SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
+            SHORT_SHA="${GH_SHA:0:7}"
             VERSION="0.0.0-pr.${PR_NUMBER}.${SHORT_SHA}"
-            echo "source=computed" >> $GITHUB_OUTPUT
+            echo "source=computed" >> "$GITHUB_OUTPUT"
           fi
-          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "Chart version: ${VERSION}"
 
       - name: Update chart version and appVersion
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          VERSION=${{ steps.version.outputs.version }}
           for chart in charts/*/; do
             if [ -f "${chart}Chart.yaml" ]; then
               CHART_NAME=$(basename "${chart}")
@@ -86,17 +93,23 @@ jobs:
           done
 
       - name: Package and publish Helm charts
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
         run: |
           for chart in charts/*/; do
             if [ -f "${chart}Chart.yaml" ]; then
               CHART_NAME=$(basename "${chart}")
               echo "Packaging and publishing chart: ${CHART_NAME}"
               helm package "${chart}"
-              PACKAGE=$(ls ${CHART_NAME}-*.tgz)
-              helm push "${PACKAGE}" oci://ghcr.io/${{ github.repository_owner }}/charts &> push-metadata.txt
-              echo "Published ${PACKAGE} to ghcr.io/${{ github.repository_owner }}/charts"
+              PACKAGE=$(ls "${CHART_NAME}"-*.tgz)
+              helm push "${PACKAGE}" "oci://ghcr.io/${REPO_OWNER}/charts" 2>&1 | tee push-metadata.txt
+              echo "Published ${PACKAGE} to ghcr.io/${REPO_OWNER}/charts"
               CHART_DIGEST=$(awk '/Digest: /{print $2}' push-metadata.txt)
-              echo "CHART_DIGEST=${CHART_DIGEST}" | tee -a $GITHUB_ENV
-              cosign sign --yes "ghcr.io/${{ github.repository_owner }}/charts/${CHART_NAME}@${CHART_DIGEST}"
+              if [ -z "${CHART_DIGEST}" ]; then
+                echo "ERROR: failed to extract chart digest from helm push output" >&2
+                exit 1
+              fi
+              echo "CHART_DIGEST=${CHART_DIGEST}" | tee -a "$GITHUB_ENV"
+              cosign sign --yes "ghcr.io/${REPO_OWNER}/charts/${CHART_NAME}@${CHART_DIGEST}"
             fi
           done