diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index 1dee2bf..ca8fef6 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -128,6 +128,13 @@ jobs:
           mkdir -p bluebuild
           printf '%s' "$COSIGN_PRIVATE_KEY" > bluebuild/cosign.key
           chmod 600 bluebuild/cosign.key
+          # bluebuild's generated Containerfile uses `FROM scratch as
+          # stage-keys; COPY cosign.pub /keys/`. Buildah's build context
+          # is the cwd ($PWD) — symlink the keys to repo root so COPY
+          # finds them there too.
+          ln -sf bluebuild/cosign.pub cosign.pub
+          ln -sf bluebuild/cosign.key cosign.key
+          ls -la cosign.pub cosign.key 2>&1 | head -4
 
       - name: Build OCI image with BlueBuild CLI container
         id: bluebuild