diff --git a/.github/workflows/qa-azure.yaml b/.github/workflows/qa-azure.yaml
index 8dee67d0b..c0218dc2d 100644
--- a/.github/workflows/qa-azure.yaml
+++ b/.github/workflows/qa-azure.yaml
@@ -20,6 +20,13 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+      # This step is a workaround because vulnerability checker requires Go 1.21.3 which is not yet available on the archive.
+      # That requirement only affects test code using mocks, so we don't yet depend on such contracts.
+      # We should be safe with Go 1.21.1 for a while, until dependencies start to rely on the latest version.
+      - name: Constrain go version
+        shell: bash
+        working-directory: wsl-pro-service
+        run: go mod edit -go 1.21.1
       - name: Build debian package
         uses: canonical/desktop-engineering/gh-actions/common/build-debian@main
         with: