diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index cee03e6..f922c05 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -92,7 +92,7 @@ jobs:
             --no-git \
             --exit-code 0
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         if: always()
         with:
           name: gitleaks-report
@@ -104,26 +104,24 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Trivy filesystem scan (vuln + misconfig)
-        # TODO: flip exit-code to '1' once baseline is clean
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: fs
-          scan-ref: .
-          format: sarif
-          output: trivy-fs.sarif
-          severity: HIGH,CRITICAL
-          exit-code: '0'
-          scanners: vuln,misconfig
+        # TODO: flip --exit-code to 1 once baseline is clean
+        run: |
+          docker run --rm -v "$PWD:/src" aquasec/trivy:latest \
+            fs /src \
+              --severity HIGH,CRITICAL \
+              --scanners vuln,misconfig \
+              --format sarif \
+              --output /src/trivy-fs.sarif \
+              --exit-code 0
 
       - name: Trivy SBOM (CycloneDX)
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: fs
-          scan-ref: .
-          format: cyclonedx
-          output: sbom.cdx.json
+        run: |
+          docker run --rm -v "$PWD:/src" aquasec/trivy:latest \
+            fs /src \
+              --format cyclonedx \
+              --output /src/sbom.cdx.json
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         if: always()
         with:
           name: trivy-reports
@@ -148,7 +146,7 @@ jobs:
               --sarif --output /src/semgrep.sarif \
               --error /src || true
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         if: always()
         with:
           name: semgrep-report