diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1ea6c37..15e6d11 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -306,14 +306,12 @@ jobs:
             . -> target
 
       - name: Start RustFS
-        # Pinned to 1.0.0-beta.3 (2026-05-14) — the last known-good tag.
-        # `rustfs/rustfs:latest` (1.0.0-beta.4, 2026-05-21) added a
-        # credentials-policy check that refuses to start when
-        # AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY are values it considers
-        # "default" (rustfsadmin/rustfsadmin in our case). Bumping to
-        # beta.4+ requires either rotating those creds to less-default
-        # values or setting RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true
-        # — deliberate work, not an emergency. Pin first; upgrade later.
+        # Pinned to 1.0.0-beta.8 (2026-06-10). beta.4+ refuses "default"
+        # credentials (rustfsadmin/rustfsadmin) unless
+        # RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true is set — fine for
+        # an ephemeral CI container. The three S3 suites were validated
+        # against the beta.8 binary locally before this bump. Keep the pin
+        # explicit (never `latest`) so upgrades are deliberate.
         run: |
           docker rm -f rustfs >/dev/null 2>&1 || true
           docker run -d \
@@ -322,7 +320,8 @@ jobs:
             -p 9001:9001 \
             -e RUSTFS_ACCESS_KEY="${AWS_ACCESS_KEY_ID}" \
             -e RUSTFS_SECRET_KEY="${AWS_SECRET_ACCESS_KEY}" \
-            rustfs/rustfs:1.0.0-beta.3 \
+            -e RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true \
+            rustfs/rustfs:1.0.0-beta.8 \
             /data
 
       - name: Install AWS CLI
diff --git a/scripts/local-rustfs-bootstrap.sh b/scripts/local-rustfs-bootstrap.sh
index c4fdcbe..2425c77 100755
--- a/scripts/local-rustfs-bootstrap.sh
+++ b/scripts/local-rustfs-bootstrap.sh
@@ -6,14 +6,12 @@ SOURCE_REF="${SOURCE_REF:-main}"
 RELEASE_CHANNEL="${RELEASE_CHANNEL:-edge}"
 WORKDIR="${WORKDIR:-$PWD/.omnigraph-rustfs-demo}"
 RUSTFS_CONTAINER_NAME="${RUSTFS_CONTAINER_NAME:-omnigraph-rustfs-demo}"
-# Pinned to 1.0.0-beta.3 (2026-05-14) — the last known-good tag, matching CI
-# (.github/workflows/ci.yml). `rustfs/rustfs:latest` (1.0.0-beta.4, 2026-05-21)
-# added a credentials-policy check that refuses to start when the access/secret
-# keys are values it considers "default" (rustfsadmin/rustfsadmin here). This
-# script still works on beta.4+ because it passes
-# RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true below — so overriding
-# RUSTFS_IMAGE to a newer tag is safe.
-RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:1.0.0-beta.3}"
+# Pinned to 1.0.0-beta.8 (2026-06-10), matching CI (.github/workflows/ci.yml).
+# beta.4+ has a credentials-policy check that refuses to start when the
+# access/secret keys are values it considers "default" (rustfsadmin/rustfsadmin
+# here); this script passes RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true
+# below, so overriding RUSTFS_IMAGE to another tag is safe.
+RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:1.0.0-beta.8}"
 RUSTFS_DATA_DIR="${RUSTFS_DATA_DIR:-$WORKDIR/rustfs-data}"
 BUCKET="${BUCKET:-omnigraph-local}"
 PREFIX="${PREFIX:-repos/context}"