diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 6966774..cf1d32d 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -60,12 +60,15 @@ jobs:
           # Debian Bullseye only ships Python 3.9; use a prebuilt standalone binary
           curl -sSL "https://github.com/indygreg/python-build-standalone/releases/download/20241002/cpython-3.10.15+20241002-x86_64-unknown-linux-gnu-install_only.tar.gz" \
             | tar -xz -C /opt
+          # Install bot deps + pip-audit into the same env; --local below avoids
+          # pip-audit creating an internal venv (ensurepip fails on standalone builds)
           /opt/python/bin/pip install --upgrade pip setuptools
-          /opt/python/bin/pip install pip-audit
+          /opt/python/bin/pip install pip-audit -r matrixbot/requirements.txt
 
       - name: Audit matrixbot dependencies
-        # Audit only our declared dependencies, not pip-audit itself or pip
-        run: /opt/python/bin/pip-audit -r matrixbot/requirements.txt
+        # --local scans the env without spawning a venv (required for standalone Python)
+        # CVE-2026-3219 is in pip itself, not our code — ignore it explicitly
+        run: /opt/python/bin/pip-audit --local --ignore-vuln CVE-2026-3219
 
   secret-scan:
     name: Secret scan (gitleaks)