diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index dc4072b6f..878817142 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -102,19 +102,19 @@ jobs:
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
 
       - name: Run hadolint on Dockerfiles
         continue-on-error: ${{inputs.soft-linting == 'true'}}
         env:
-          hadolint_version: 'sha256:e9dbf5113239ef2bf696d20c8f28d3019a47c26a38c98b89344d3e2846c4d5f8'
+          sha: 'sha256:e9dbf5113239ef2bf696d20c8f28d3019a47c26a38c98b89344d3e2846c4d5f8'
         run: |
           echo '::add-matcher::.github/problem-matchers/hadolint.json'
-          find . -name Dockerfile -print0 | \
-            xargs -0 -r docker run --rm -i -v "${PWD}:/app" -w /app \
-            --entrypoint /bin/hadolint \
-            ghcr.io/hadolint/hadolint@${{env.hadolint_version}}
+          shopt -s globstar
+          files=(**/Dockerfile*)
+          if [[ ${#files[@]} -gt 0 ]]; then
+            docker run --rm -v "${PWD}:/app" -w /app \
+            ghcr.io/hadolint/hadolint@${{env.sha}} /bin/hadolint "${files[@]}"
+          fi
 
   shell-lint:
     name: Shell script lint checks
@@ -124,8 +124,6 @@ jobs:
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
 
       - name: Install problem matcher
         run: echo '::add-matcher::.github/problem-matchers/shellcheck.json'
@@ -147,8 +145,6 @@ jobs:
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
 
       - name: Install yamllint
         run: |
@@ -159,10 +155,7 @@ jobs:
         continue-on-error: ${{inputs.soft-linting == 'true'}}
         run: |
           echo "::add-matcher::.github/problem-matchers/yamllint.json"
-          # shellcheck disable=SC2038
-          find . -not -path '*.github/workflows/*' \
-            '(' -name '*.yaml' -o -name '*.yml' ')' | \
-            xargs yamllint -f github
+          yamllint -f github . CITATION.cff
 
   bazel-lint:
     name: Bazel build lint checks
@@ -172,8 +165,6 @@ jobs:
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
 
       - name: Install Buildifier
         uses: jbajic/setup-buildifier@c558ee05c6f74ab5753ff794516750b4aadac296 # v1
@@ -184,9 +175,7 @@ jobs:
         continue-on-error: ${{inputs.soft-linting == 'true'}}
         run: |
           echo '::add-matcher::.github/problem-matchers/buildifier.json'
-          # shellcheck disable=SC2038
-          find . -name 'BUILD' -o -name '*.bzl' -o -name 'WORKSPACE' | \
-            xargs buildifier -mode=diff -lint=warn
+          buildifier -mode=diff -lint=warn -r .
 
   action-lint:
     name: GitHub Actions lint checks
@@ -196,8 +185,6 @@ jobs:
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
 
       - name: Run actionlint
         continue-on-error: ${{inputs.soft-linting == 'true'}}
diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml
index eea641cc3..0f69dff11 100644
--- a/.github/workflows/pr-labeler.yaml
+++ b/.github/workflows/pr-labeler.yaml
@@ -48,7 +48,7 @@ jobs:
   label-pr-size:
     if: github.repository_owner == 'quantumlib'
     name: Update PR size labels
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
     timeout-minutes: 5
     permissions:
       contents: read
diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml
index b8deea7c4..11d4410dd 100644
--- a/.github/workflows/scorecard-scanner.yaml
+++ b/.github/workflows/scorecard-scanner.yaml
@@ -32,11 +32,6 @@ on:
 
   # Allow manual invocation.
   workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Run with debugging options'
-        type: boolean
-        default: true
 
 concurrency:
   # Cancel any previously-started but still active runs on the same branch.
@@ -73,19 +68,10 @@ jobs:
 
       - name: Upload results to code-scanning dashboard
         # yamllint disable rule:line-length
-        uses: github/codeql-action/upload-sarif@ba454b8ab46733eb6145342877cd148270bb77ab # codeql-bundle-v2.23.5
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: scorecard-results.sarif
 
-      - if: github.event.inputs.debug == true || runner.debug == true
-        name: Upload results as artifacts to the workflow Summary page
-        # yamllint disable rule:line-length
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: Scorecard SARIF file
-          path: scorecard-results.sarif
-          retention-days: 5
-
   # Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having
   # steps that use "run:". To print to the summary, we need to use another job.
   write-summary: