diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
index ecba0821..e95ed846 100644
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@@ -31,8 +31,10 @@ jobs:
     steps:
       - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
         if: ${{ github.event_name != 'merge_group' }}
-      - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+      - uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0
         id: meta
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
           # Generate Docker tags based on the following events/attributes
@@ -43,13 +45,10 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-      - run: |
-          set -Eeuo pipefail
-          ANNOTATIONS=$(echo '${{ steps.meta.outputs.labels }}' | sed 's/org.opencontainers.image./annotation-index.org.opencontainers.image./' | tr '\n' ',')
-          echo "annotations=${ANNOTATIONS::-1}" >> "$GITHUB_OUTPUT"
-        id: annotations
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        with:
+          version: v0.12.0
       - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         if: ${{ github.event_name != 'merge_group' }}
         with:
@@ -64,7 +63,7 @@ jobs:
           push: ${{ github.event_name != 'merge_group' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          outputs: type=image,${{ steps.annotations.outputs.annotations }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           sbom: true
           provenance: true
           cache-from: type=gha