diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 118dd54f..cbf10d39 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -70,13 +70,17 @@ jobs:
           EOF
 
       - name: Build images
+        # `--pull` forces re-fetching pinned base images so a CVE
+        # re-publication of the same tag (e.g. node:20.19.0-alpine3.21,
+        # postgres:16-alpine) is picked up instead of being served
+        # from the host's stale Docker layer cache.
         run: |
           docker compose \
             -f docker-compose.prod.yml \
             -p archiv-staging \
             --env-file .env.staging \
             --profile staging \
-            build
+            build --pull
 
       - name: Deploy staging
         run: |
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index d4332ba9..9ae74ad6 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -72,12 +72,15 @@ jobs:
           EOF
 
       - name: Build images
+        # `--pull` forces re-fetching pinned base images so a CVE
+        # re-publication of the same tag is picked up rather than served
+        # from the host's stale Docker layer cache.
         run: |
           docker compose \
             -f docker-compose.prod.yml \
             -p archiv-production \
             --env-file .env.production \
-            build
+            build --pull
 
       - name: Deploy production
         run: |