diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 35c4c33..d2e3eb0 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -38,7 +38,10 @@ jobs:
           cache: true
       - uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.61.0
+          # v1.61 was built against Go 1.23 and refuses to load a
+          # config that targets a newer toolchain — go.mod is on 1.25.
+          # Bumping to a v2.x release built against current Go.
+          version: v2.1.6
           args: --timeout=5m
 
   build:
diff --git a/internal/server/http/host_credentials_test.go b/internal/server/http/host_credentials_test.go
index d1667be..af2d286 100644
--- a/internal/server/http/host_credentials_test.go
+++ b/internal/server/http/host_credentials_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"testing"
+	"time"
 )
 
 // TestEnrollmentTransfersRepoCreds verifies the round-trip:
@@ -28,7 +29,7 @@ func TestEnrollmentTransfersRepoCreds(t *testing.T) {
 	if err != nil {
 		t.Fatalf("encrypt: %v", err)
 	}
-	if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, enc, ""); err != nil {
+	if err := st.CreateEnrollmentToken(ctx, tokHash, time.Hour, enc, ""); err != nil {
 		t.Fatalf("create token: %v", err)
 	}
 
@@ -93,7 +94,7 @@ func TestEnrollmentTokenWithoutCreds(t *testing.T) {
 	ctx := context.Background()
 
 	const tokHash = "no-creds-token"
-	if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, "", ""); err != nil {
+	if err := st.CreateEnrollmentToken(ctx, tokHash, time.Hour, "", ""); err != nil {
 		t.Fatalf("create: %v", err)
 	}
 	att, err := st.GetEnrollmentTokenAttachments(ctx, tokHash)