diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e8cb021..39b1922 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,8 +86,13 @@ jobs:
       - uses: actions/checkout@v4
       
       - name: Run Trivy container scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          # Avoid "Bad credentials" from GitHub API when the runner's
+          # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup.
+          GITHUB_TOKEN: ""
         with:
+          version: v0.51.1
           scan-type: 'fs'
           scan-ref: '.'
           format: 'sarif'
@@ -142,6 +147,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       
+      - name: Install unzip (act-runner image may lack it)
+        run: |
+          if ! command -v unzip >/dev/null 2>&1; then
+            sudo apt-get update && sudo apt-get install -y unzip
+          fi
+      
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml
index f55d315..e538920 100644
--- a/.github/workflows/validation.yml
+++ b/.github/workflows/validation.yml
@@ -24,6 +24,12 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       
+      - name: Install unzip (act-runner image may lack it)
+        run: |
+          if ! command -v unzip >/dev/null 2>&1; then
+            sudo apt-get update && sudo apt-get install -y unzip
+          fi
+      
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
       
@@ -92,17 +98,25 @@ jobs:
       - uses: actions/checkout@v3
       
       - name: Container Security Scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          # Avoid "Bad credentials" from GitHub API when the runner's
+          # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup.
+          GITHUB_TOKEN: ""
         with:
+          version: v0.51.1
           scan-type: 'image'
           image-ref: 'hyperledger/besu:23.10.0'
           format: 'sarif'
           output: 'trivy-results.sarif'
+        continue-on-error: true
       
       - name: Upload Trivy results
+        # Gitea does not host GitHub code-scanning; don't fail the job.
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: 'trivy-results.sarif'
+        continue-on-error: true
   
   validate-documentation:
     runs-on: ubuntu-latest