diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index e830cd90a..4640af0ed 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -135,9 +135,6 @@ jobs:
       id-token: write
 
     steps:
-      - name: Checkout the code
-        uses: actions/checkout@v4.2.2
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5.6.1
@@ -205,32 +202,28 @@ jobs:
       # For pull-requests, only read from the cache, do not try to push to the
       # cache or the image itself
       - name: Build
-        uses: docker/bake-action@v5.11.0
+        uses: docker/bake-action@v6.2.0
         if: github.event_name == 'pull_request'
         with:
           files: |
-            docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
-            ${{ steps.meta-debug.outputs.bake-file }}
-            ${{ steps.meta-syn2mas.outputs.bake-file }}
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-debug.outputs.bake-file }}
+            cwd://${{ steps.meta-syn2mas.outputs.bake-file }}
           set: |
-            base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
-            syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/
             base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache
 
       - name: Build and push
         id: bake
-        uses: docker/bake-action@v5.11.0
+        uses: docker/bake-action@v6.2.0
         if: github.event_name != 'pull_request'
         with:
           files: |
-            docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
-            ${{ steps.meta-debug.outputs.bake-file }}
-            ${{ steps.meta-syn2mas.outputs.bake-file }}
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-debug.outputs.bake-file }}
+            cwd://${{ steps.meta-syn2mas.outputs.bake-file }}
           set: |
-            base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
-            syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/
             base.output=type=image,push=true
             base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache
             base.cache-to=type=registry,ref=${{ env.BUILDCACHE }}:buildcache,mode=max
@@ -251,11 +244,16 @@ jobs:
           github.event_name != 'pull_request'
           && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
 
+        env:
+          REGULAR_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).regular.digest }}
+          DEBUG_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).debug.digest }}
+          SYN2MAS_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).syn2mas.digest }}
+
         run: |-
           cosign sign --yes \
-            "${{ env.IMAGE }}@${{ fromJSON(steps.output.outputs.metadata).regular.digest }}" \
-            "${{ env.IMAGE }}@${{ fromJSON(steps.output.outputs.metadata).debug.digest }}" \
-            "${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(steps.output.outputs.metadata).syn2mas.digest }}"
+            "$IMAGE@$REGULAR_DIGEST" \
+            "$IMAGE@$DEBUG_DIGEST" \
+            "$IMAGE_SYN2MAS@$SYN2MAS_DIGEST"
 
   syn2mas:
     name: Release syn2mas on NPM