diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
index 879e3d9a79a1..5373e7255c79 100644
--- a/.github/workflows/kind-e2e-cosigned.yaml
+++ b/.github/workflows/kind-e2e-cosigned.yaml
@@ -29,9 +29,10 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-        - v1.21.x
         - v1.22.x
         - v1.23.x
+        - v1.24.x
+        - v1.25.x
 
     env:
       # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
@@ -43,22 +44,23 @@ jobs:
       KO_DOCKER_REPO: registry.local:5000/policy-controller
 
     steps:
-    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
-    - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+    - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
       with:
-        go-version: '1.17'
+        go-version: '1.19'
         check-latest: true
 
-    - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
+    - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
-    - uses: imranismail/setup-kustomize@8fa954828ed3cfa7a487a2ba9f7104899bb48b2f # v1.6.1
+    - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v1.6.1
 
     - name: Install yq
-      uses: mikefarah/yq@70403375d7b96075bd68b40c434807cff1593568 # v4.25.1
+      uses: mikefarah/yq@87cba2ecbeaecf860efcceb66deab46ae030ce1e # v4.27.3
 
     - name: Install Cosign
       run: |
         go install ./cmd/cosign
+
     - name: Setup mirror
       uses: chainguard-dev/actions/setup-mirror@main
       with:
@@ -92,29 +94,35 @@ jobs:
         # Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
         # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
         sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
+
+    - name: Check out upstream code (policy-controller)
+      uses: actions/checkout@v3
+      with:
+        repository: sigstore/policy-controller
+        path: ./src/github.com/sigstore/policy-controller
+        ref: v0.5.2
+
     - name: Install policy-controller
       env:
         GIT_HASH: ${{ github.sha }}
         GIT_VERSION: ci
         LDFLAGS: ""
-        COSIGNED_YAML: policy-controller-e2e.yaml
+        POLICY_CONTROLLER_YAML: policy-controller-e2e.yaml
         KO_PREFIX: registry.local:5000/policy-controller
-        COSIGNED_ARCHS: linux/amd64
+        POLICY_CONTROLLER_ARCHS: linux/amd64
+      working-directory: ./src/github.com/sigstore/policy-controller
       run: |
         make ko-policy-controller
         kubectl apply -f policy-controller-e2e.yaml
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
+        kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all
+
     - name: Run Insecure Registry Tests
       run: |
         go install github.com/google/go-containerregistry/cmd/crane
         ./test/e2e_test_insecure_registry.sh
-    - name: Run Image Policy Tests
-      run: |
-        ./test/e2e_test_policy_crd.sh
-    - name: Run Policy Controller Tests
-      run: |
-        ./test/e2e_test_policy_controller.sh
+
     - name: Collect diagnostics
       if: ${{ failure() }}
       uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main