diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 01ada600fd..8f5ebacc8f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -16,14 +16,18 @@ permissions:
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
+      - release-*
     paths-ignore:
       - '**/*.md'
       - '**/*.txt'
       - '**/*.yaml'
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main]
+    branches:
+      - main
+      - release-*
     paths-ignore:
       - '**/*.md'
       - '**/*.txt'
diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml
index fa0746c95f..fa4f036514 100644
--- a/.github/workflows/e2e-matrix.yml
+++ b/.github/workflows/e2e-matrix.yml
@@ -36,8 +36,7 @@ jobs:
     - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
       with:
         go-version-file: "go.mod"
-    - uses: ko-build/setup-ko@v0.9
-
+    - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
     - name: Install Dependencies
       working-directory: ./
       run: |
@@ -62,12 +61,12 @@ jobs:
           --e2e-env ./test/e2e-tests-kind-prow.env
 
     - name: Upload test results
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}
         path: ${{ env.ARTIFACTS }}
 
-    - uses: chainguard-dev/actions/kind-diag@main
+    - uses: chainguard-dev/actions/kind-diag@0cf1221da92242205c2d9f8a63add344ebd6b304 # v1.6.1
       if: ${{ failure() }}
       with:
         artifact-name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}-logs
diff --git a/go.mod b/go.mod
index 7543aedd8f..1cf178a6f7 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/tektoncd/cli
 
-go 1.25.5
+go 1.25.6
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
@@ -20,7 +20,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/sigstore/cosign/v2 v2.6.2
-	github.com/sigstore/sigstore v1.10.3
+	github.com/sigstore/sigstore v1.10.4
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/tektoncd/chains v0.26.0
diff --git a/go.sum b/go.sum
index 4851196fd7..17dd247962 100644
--- a/go.sum
+++ b/go.sum
@@ -1180,8 +1180,8 @@ github.com/sigstore/rekor v1.4.3 h1:2+aw4Gbgumv8vYM/QVg6b+hvr4x4Cukur8stJrVPKU0=
 github.com/sigstore/rekor v1.4.3/go.mod h1:o0zgY087Q21YwohVvGwV9vK1/tliat5mfnPiVI3i75o=
 github.com/sigstore/rekor-tiles/v2 v2.0.1 h1:1Wfz15oSRNGF5Dzb0lWn5W8+lfO50ork4PGIfEKjZeo=
 github.com/sigstore/rekor-tiles/v2 v2.0.1/go.mod h1:Pjsbhzj5hc3MKY8FfVTYHBUHQEnP0ozC4huatu4x7OU=
-github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0=
-github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk=
+github.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE=
+github.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI=
 github.com/sigstore/sigstore-go v1.1.4 h1:wTTsgCHOfqiEzVyBYA6mDczGtBkN7cM8mPpjJj5QvMg=
 github.com/sigstore/sigstore-go v1.1.4/go.mod h1:2U/mQOT9cjjxrtIUeKDVhL+sHBKsnWddn8URlswdBsg=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.10.3 h1:D/FRl5J9UYAJPGZRAJbP0dH78pfwWnKsyCSBwFBU8CI=
diff --git a/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go b/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go
index dd78dd1c5a..3477a8cf73 100644
--- a/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/tuf/client.go
@@ -671,12 +671,16 @@ type diskCache struct {
 	memory *memoryCache
 }
 
+func (d *diskCache) safePath(p string) string {
+	return filepath.FromSlash(filepath.Join(d.base, url.PathEscape(p)))
+}
+
 func (d *diskCache) Get(p string) ([]byte, error) {
 	// Read from the in-memory cache first.
 	if b, err := d.memory.Get(p); err == nil {
 		return b, nil
 	}
-	fp := filepath.FromSlash(filepath.Join(d.base, p))
+	fp := d.safePath(p)
 	return os.ReadFile(fp)
 }
 
@@ -685,7 +689,7 @@ func (d *diskCache) Set(p string, b []byte) error {
 		return err
 	}
 
-	fp := filepath.FromSlash(filepath.Join(d.base, p))
+	fp := d.safePath(p)
 	if err := os.MkdirAll(filepath.Dir(fp), 0o700); err != nil {
 		return fmt.Errorf("creating targets dir: %w", err)
 	}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index bac8a8a0f2..5744d6ac4a 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1380,7 +1380,7 @@ github.com/sigstore/rekor-tiles/v2/pkg/generated/protobuf
 github.com/sigstore/rekor-tiles/v2/pkg/note
 github.com/sigstore/rekor-tiles/v2/pkg/types/verifier
 github.com/sigstore/rekor-tiles/v2/pkg/verify
-# github.com/sigstore/sigstore v1.10.3
+# github.com/sigstore/sigstore v1.10.4
 ## explicit; go 1.25.0
 github.com/sigstore/sigstore/pkg/cryptoutils
 github.com/sigstore/sigstore/pkg/cryptoutils/goodkey