diff --git a/.github/workflows/release_v21.yaml b/.github/workflows/release_v21.yaml
index d4ac3db..0b3e8b7 100644
--- a/.github/workflows/release_v21.yaml
+++ b/.github/workflows/release_v21.yaml
@@ -420,6 +420,10 @@ jobs:
           flux tag artifact oci://ghcr.io/weaveworks/flux-manifests:${{ steps.patch.outputs.version }} \
           --tag latest
 
+          VERSION=${GITHUB_REF/refs\/tags\//}
+          flux tag artifact oci://ghcr.io/weaveworks/flux-manifests:${{ steps.patch.outputs.version }} \
+          --tag $VERSION
+
   release-provenance:
     needs: [release-flux-cli]
     permissions:
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index 3144c86..98c346f 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -155,49 +155,49 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Scan source-controller image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/source-controller:${{ needs.get-image-version.outputs.sc }}'
           only-severities: critical,high
           exit-code: true
       - name: Scan kustomize-controller image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/kustomize-controller:${{ needs.get-image-version.outputs.kc }}'
           only-severities: critical,high
           exit-code: true
       - name: Scan helm-controller image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/helm-controller:${{ needs.get-image-version.outputs.hc }}'
           only-severities: critical,high
           exit-code: true
       - name: Scan notification-controller image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/notification-controller:${{ needs.get-image-version.outputs.nc }}'
           only-severities: critical,high
           exit-code: true
       - name: Scan image-reflector-controller image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/image-reflector-controller:${{ needs.get-image-version.outputs.irc }}'
           only-severities: critical,high
           exit-code: true
       - name: Scan image-automation-controller image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/image-automation-controller:${{ needs.get-image-version.outputs.iac }}'
           only-severities: critical,high
           exit-code: true
       - name: Scan flux2 image
-        uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 # v1.0.8
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves
           image: 'ghcr.io/weaveworks/flux-cli:${{ needs.get-image-version.outputs.flux2 }}'