diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index eaf7cef..5a4d3ad 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -46,6 +46,10 @@ jobs:
     name: Build ${{ matrix.arch }} plugin
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures) }}
@@ -53,13 +57,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3.5.3
    
-    - name: Login to DockerHub
-      if: needs.init.outputs.publish == 'true'
-      uses: docker/login-action@v2.2.0
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: needs.init.outputs.publish == 'true'
       uses: docker/login-action@v2.2.0
@@ -73,11 +70,12 @@ jobs:
       run: echo "BUILD_ARGS=--test" >> $GITHUB_ENV
 
     - name: Build plugin
-      uses: home-assistant/builder@2023.06.0
+      uses: home-assistant/builder@2023.06.1
       with:
         args: |
           $BUILD_ARGS \
           --${{ matrix.arch }} \
+          --cosign \
           --target /data \
           --generic ${{ needs.init.outputs.version }}
       env:
diff --git a/build.yaml b/build.yaml
index 7f47850..896763f 100644
--- a/build.yaml
+++ b/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{arch}-hassio-audio
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-hassio-audio
 build_from:
   aarch64: ghcr.io/home-assistant/aarch64-base:3.17
   armhf: ghcr.io/home-assistant/armhf-base:3.17
@@ -9,6 +8,9 @@ build_from:
 codenotary:
   signer: notary@home-assistant.io
   base_image: notary@home-assistant.io
+cosign:
+  base_identity: https://github.com/home-assistant/docker-base/.*
+  identity: https://github.com/home-assistant/plugin-audio/.*
 args:
   ALSA_LIB_VERSION: 1.2.8
   ALSA_TOOLS_VERSION: 1.2.5