diff --git a/.github/actions/install-cosign/action.yaml b/.github/actions/install-cosign/action.yaml
new file mode 100644
index 0000000000000..acaf7ba1a7a97
--- /dev/null
+++ b/.github/actions/install-cosign/action.yaml
@@ -0,0 +1,10 @@
+name: "Install cosign"
+description: |
+  Cosign Github Action.
+runs:
+  using: "composite"
+  steps:
+    - name: Install cosign
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      with:
+        cosign-release: "v2.4.3"
diff --git a/.github/actions/install-syft/action.yaml b/.github/actions/install-syft/action.yaml
new file mode 100644
index 0000000000000..7357cdc08ef85
--- /dev/null
+++ b/.github/actions/install-syft/action.yaml
@@ -0,0 +1,10 @@
+name: "Install syft"
+description: |
+  Downloads Syft to the Action tool cache and provides a reference.
+runs:
+  using: "composite"
+  steps:
+    - name: Install syft
+      uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+      with:
+        syft-version: "v1.20.0"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ee97e675cbbdd..9aed499c03b5e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1074,14 +1074,10 @@ jobs:
         run: sudo apt-get install -y zstd
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-        with:
-          cosign-release: "v2.4.3"
+        uses: ./.github/actions/install-cosign
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
-        with:
-          syft-version: "v1.20.0"
+        uses: ./.github/actions/install-syft
 
       - name: Setup Windows EV Signing Certificate
         run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index fbb86d7aaf799..f35a004f2e4de 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -251,14 +251,10 @@ jobs:
           rm /tmp/rcodesign.tar.gz
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-        with:
-          cosign-release: "v2.4.3"
+        uses: ./.github/actions/install-cosign
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
-        with:
-          syft-version: "v1.20.0"
+        uses: ./.github/actions/install-syft
 
       - name: Setup Apple Developer certificate and API key
         run: |
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 3b90616f849f0..71d209e2a7dce 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -85,6 +85,12 @@ jobs:
       - name: Setup sqlc
         uses: ./.github/actions/setup-sqlc
 
+      - name: Install cosign
+        uses: ./.github/actions/install-cosign
+
+      - name: Install syft
+        uses: ./.github/actions/install-syft
+
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.44.3
       - name: Install mockgen