diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index e10eed3aae..5838d2ed69 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -19,31 +19,15 @@ jobs:
         with: { go-version: stable }
       - run: go mod download
 
-      # Login to the GitHub Packages registry to avoid rate limiting.
-      # - https://aquasecurity.github.io/trivy/v0.55/docs/references/troubleshooting/#github-rate-limiting
-      # - https://github.com/aquasecurity/trivy/issues/7580
-      # - https://github.com/aquasecurity/trivy-action/issues/389
-      # - https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
-      # - https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
-      - name: Login to GitHub Packages
-        run: >
-          docker login ghcr.io
-          --username '${{ github.actor }}'
-          --password-stdin <<< '${{ secrets.GITHUB_TOKEN }}'
-
       # Report success only when detected licenses are listed in [/trivy.yaml].
-      # The "aquasecurity/trivy-action" action cannot access the Go module cache,
-      # so run Trivy from an image with the cache and local configuration mounted.
-      # - https://github.com/aquasecurity/trivy-action/issues/219
-      # - https://github.com/aquasecurity/trivy/pkgs/container/trivy
       - name: Scan licenses
-        run: >
-          docker run
-          --env 'DOCKER_CONFIG=/docker' --volume "${HOME}/.docker:/docker"
-          --env 'GOPATH=/go' --volume "$(go env GOPATH):/go"
-          --workdir '/mnt' --volume "$(pwd):/mnt"
-          'ghcr.io/aquasecurity/trivy:latest'
-          filesystem --debug --exit-code=1 --scanners=license .
+        uses: aquasecurity/trivy-action@0.26.0
+        env:
+          TRIVY_DEBUG: true
+        with:
+          scan-type: filesystem
+          scanners: license
+          exit-code: 1
 
   vulnerabilities:
     if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
@@ -62,7 +46,7 @@ jobs:
       # and is a convenience/redundant effort for those who prefer to
       # read logs and/or if anything goes wrong with the upload.
       - name: Log all detected vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.26.0
         with:
           scan-type: filesystem
           hide-progress: true
@@ -74,7 +58,7 @@ jobs:
       # - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
       # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
       - name: Report actionable vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.26.0
         with:
           scan-type: filesystem
           ignore-unfixed: true