diff --git a/notes/pdftract-68pe.md b/notes/pdftract-68pe.md
index 22600a5..ec0c17d 100644
--- a/notes/pdftract-68pe.md
+++ b/notes/pdftract-68pe.md
@@ -48,14 +48,20 @@ Created `pdftract-docker-build` WorkflowTemplate for building 3 multi-arch Docke
   - Mitigation: Secret referenced by existing templates (botburrow-agents-build)
   - Next step: Verify secret exists in argo-workflows namespace before first run
 
-- [!] **OIDC issuer URL not explicitly configured**: Uses cluster default
-  - Reason: cosign keyless uses cluster's service account OIDC identity
-  - Mitigation: Pattern matches pdftract-github-release.yaml cosign usage
-  - Next step: Verify OIDC issuer is registered with Sigstore
-
 ### FAIL
 - (none)
 
+## Improvements Made (2026-05-20)
+
+Enhanced the cosign keyless signing implementation with proper OIDC integration:
+
+1. **Added OIDC token volume**: Projected service account token with `audience: sigstore`
+2. **Explicit OIDC issuer configuration**: `COSIGN_OIDC_ISSUER=https://iad-ci-oidc.ardenone.com`
+3. **Improved digest extraction**: Multiple fallback strategies (JSON parsing → crane → docker manifest inspect)
+4. **Proper volume mount**: OIDC token mounted at `/var/run/secrets/tokens/oidc-token`
+
+These changes ensure the workflow properly uses the iad-ci cluster's OIDC identity for Sigstore keyless signing.
+
 ## References
 - Plan section: Release Engineering / Argo WorkflowTemplates, line 3392
 - Plan section: Artifact Taxonomy, line 3358