diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
index 074bf2fc..917ba54a 100644
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -30,14 +30,6 @@ jobs:
           driver-opts: |
             network=host
 
-      # Download hadolint - https://github.com/hadolint/hadolint/releases
-      - name: Download hadolint
-        run: |
-          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
-          sudo chmod +x /usr/local/bin/hadolint
-        env:
-          HADOLINT_VERSION: 2.14.0
-      # End Download hadolint
       # Checkout the repo
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -46,8 +38,17 @@ jobs:
       # End Checkout the repo
 
       # Test Dockerfiles with hadolint
-      - name: Run hadolint
-        run: hadolint docker/Dockerfile.{debian,alpine}
+      # Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian)
+      # so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety.
+      - name: Run hadolint on Dockerfile.debian
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: docker/Dockerfile.debian
+
+      - name: Run hadolint on Dockerfile.alpine
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: docker/Dockerfile.alpine
       # End Test Dockerfiles with hadolint
 
       # Test Dockerfiles with docker build checks
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3c6d8574..d4ef21b9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -249,7 +249,7 @@ jobs:
 
   merge-manifests:
     name: Merge manifests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: docker-build
     environment: 
       name: release
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 1036b1ce..36163e39 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   zizmor:
     name: Run zizmor
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write # To write the security report
     steps: