diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index ee9af78..41d6305 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -13,10 +13,17 @@ jobs:
     steps:
       - name: Install build dependencies
         run: |
-          # archlinux:latest images ship a snapshot keyring; new packages
-          # signed after that snapshot fail PGP verification. Refresh the
-          # keyring first, then everything else.
-          pacman -Sy --noconfirm archlinux-keyring
+          # The slim archlinux:latest image arrives without a populated
+          # pacman keyring AND without a local pacman master key, so:
+          #   1. --init  generates the local signing key (needed when pacman
+          #      itself rewrites the keyring during package upgrades)
+          #   2. --populate archlinux  imports the upstream master keys so
+          #      currently-shipping signatures verify
+          # After that we can refresh archlinux-keyring to pick up keys for
+          # packagers added after the image's snapshot, then -Syu the rest.
+          pacman-key --init
+          pacman-key --populate archlinux
+          pacman -Sy --noconfirm --needed archlinux-keyring
           pacman -Syu --noconfirm --needed \
             base-devel git zip tar \
             clang lld libc++ cmake \