diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 39b1922..713b9b4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,10 +86,11 @@ jobs:
       - uses: actions/checkout@v4
       
       - name: Run Trivy container scan
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@master
         env:
           # Avoid "Bad credentials" from GitHub API when the runner's
-          # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup.
+          # GITHUB_TOKEN is a Gitea token. Pin trivy binary so installer
+          # does not hit api.github.com releases/latest.
           GITHUB_TOKEN: ""
         with:
           version: v0.51.1
diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml
index e538920..6c64fd0 100644
--- a/.github/workflows/validation.yml
+++ b/.github/workflows/validation.yml
@@ -98,10 +98,11 @@ jobs:
       - uses: actions/checkout@v3
       
       - name: Container Security Scan
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@master
         env:
           # Avoid "Bad credentials" from GitHub API when the runner's
-          # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup.
+          # GITHUB_TOKEN is a Gitea token. Pin trivy binary so installer
+          # does not hit api.github.com releases/latest.
           GITHUB_TOKEN: ""
         with:
           version: v0.51.1