diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
index 204eb849..1871ff47 100644
--- a/.github/workflows/checkmarx-one-scan.yml
+++ b/.github/workflows/checkmarx-one-scan.yml
@@ -11,7 +11,7 @@ on:
 jobs:
   cx-scan:
     name: Checkmarx One Scan
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
index 408e6db4..adb7c179 100644
--- a/.github/workflows/ci-tests.yml
+++ b/.github/workflows/ci-tests.yml
@@ -3,9 +3,12 @@ name: Continuous Integration Tests
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
@@ -32,7 +35,7 @@ jobs:
             exit 0
           fi
   integration-tests:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
@@ -116,8 +119,11 @@ jobs:
             exit 0
           fi
   lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
       - name: Set up Go version
@@ -136,7 +142,7 @@ jobs:
           only-new-issues: true
 
   govulncheck:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     name: govulncheck
     steps:
       - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
@@ -151,7 +157,7 @@ jobs:
         continue-on-error: true
 
   checkDockerImage:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     name: scan Docker Image with Trivy
     steps:
       - name: Checkout code
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 0c4850b9..736fd17e 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
diff --git a/.github/workflows/nightly-parallel.yml b/.github/workflows/nightly-parallel.yml
index 3233390b..6c24778b 100644
--- a/.github/workflows/nightly-parallel.yml
+++ b/.github/workflows/nightly-parallel.yml
@@ -26,7 +26,7 @@ jobs:
   #        to a named matrix group, so they fall through to the catch-all run.
   # ─────────────────────────────────────────────────────────────────────────────
   validate-test-coverage:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       uncovered_tests: ${{ steps.find-uncovered.outputs.uncovered_tests }}
       has_uncovered: ${{ steps.find-uncovered.outputs.has_uncovered }}
@@ -91,7 +91,7 @@ jobs:
   # ─────────────────────────────────────────────────────────────────────────────
   integration-tests:
     needs: validate-test-coverage
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     strategy:
       fail-fast: false
       matrix:
@@ -467,7 +467,7 @@ jobs:
   # ─────────────────────────────────────────────────────────────────────────────
   merge-coverage:
     needs: integration-tests
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: always()
     env:
       CX_BASE_URI: ${{ secrets.CX_BASE_URI }}
@@ -537,7 +537,7 @@ jobs:
   # ─────────────────────────────────────────────────────────────────────────────
   notify-on-failure:
     needs: [integration-tests, merge-coverage]
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: failure()
     steps:
       - name: Write failure summary
diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml
index 8c786210..e16b372e 100644
--- a/.github/workflows/pr-label.yml
+++ b/.github/workflows/pr-label.yml
@@ -10,7 +10,7 @@ jobs:
   pr-labeler:
     permissions:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - uses: TimonVS/pr-labeler-action@8447391d87bc7648ce6bf97159c17b642576afb0 #v3
         with:
diff --git a/.github/workflows/pr-linter.yml b/.github/workflows/pr-linter.yml
index 5ed416c9..3f4a82e3 100644
--- a/.github/workflows/pr-linter.yml
+++ b/.github/workflows/pr-linter.yml
@@ -4,9 +4,12 @@ on:
   pull_request:
     types: [opened, edited]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Check PR Title and Branch
         run: |
diff --git a/.github/workflows/trivy-cache.yml b/.github/workflows/trivy-cache.yml
index bf3887e8..fe87863b 100644
--- a/.github/workflows/trivy-cache.yml
+++ b/.github/workflows/trivy-cache.yml
@@ -9,7 +9,7 @@ on:
 
 jobs:
   update-trivy-db:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Setup oras
         uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d #v1.2.2