diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml
index dd1753e6..b0f23bf7 100644
--- a/.github/workflows/linting-formatting.yml
+++ b/.github/workflows/linting-formatting.yml
@@ -34,6 +34,8 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        with:
+          persona: pedantic
       # flavors/dotnet is the smallest flavor of MegaLinter that contains the linters
       # we are interested in.
       - uses: oxsecurity/megalinter/flavors/dotnet@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8.8.0
diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml
index bde1c229..b17201e4 100644
--- a/.github/workflows/pr-image-cleanup.yml
+++ b/.github/workflows/pr-image-cleanup.yml
@@ -47,14 +47,13 @@ jobs:
       - run: |
           gh extension install actions/gh-actions-cache
 
-          REPO=${{ github.repository }}
-          BRANCH=refs/pull/${{ github.event.pull_request.number }}/merge
-
           ## Setting this to not fail the workflow while deleting cache keys.
           set +e
-          for cacheKey in $(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1)
+          for cacheKey in $(gh actions-cache list -R "${GH_REPO}" -B "${BRANCH}" | cut -f 1)
           do
-              gh actions-cache delete "$cacheKey" -R $REPO -B $BRANCH --confirm
+              gh actions-cache delete "${cacheKey}" -R "${GH_REPO}" -B "${BRANCH}" --confirm
           done
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index c6260aaf..55f0cefe 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -77,16 +77,19 @@ jobs:
         id: inspect-manifest
         run: |
           set -Eeuo pipefail
-          output=$(docker buildx imagetools inspect "${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
+          output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
           echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
+        env:
+          GH_REPO: ${{ github.repository }}
       - name: Upload provenance to release
         run: |
           set -Eeuo pipefail
           FORMATTED_DIGEST=${DIGEST//:/_}
-          gh attestation verify --repo ${{ github.repository }} "oci://${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
+          gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
           gh release upload "${REF_NAME}" ./*.intoto.jsonl
         env:
           DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
+          GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
           REPOSITORY_OWNER: ${{ github.repository_owner }}
           REPOSITORY_NAME: ${{ github.event.repository.name }}
diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml
index 8cd4e09d..66503665 100644
--- a/.github/workflows/wc-build-push.yml
+++ b/.github/workflows/wc-build-push.yml
@@ -74,10 +74,11 @@ jobs:
       - name: Export digest
         run: |
           set -Eeuo pipefail
-          mkdir -p ${{ runner.temp }}/digests
-          touch "${{ runner.temp }}/digests/${DIGEST#sha256:}"
+          mkdir -p "${RUNNER_TEMP}/digests"
+          touch "${RUNNER_TEMP}/digests/${DIGEST#sha256:}"
         env:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          RUNNER_TEMP: ${{ runner.temp }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: digests-${{ inputs.flavor }}-${{ steps.devcontainer-arch.outputs.arch }}
@@ -137,7 +138,7 @@ jobs:
           import json
           import subprocess
 
-          CONTAINER = f"{os.getenv('REGISTRY')}/${{ github.repository }}-{os.getenv('CONTAINER_FLAVOR')}"
+          CONTAINER = f"{os.getenv('REGISTRY')}/{os.getenv('GH_REPO')}-{os.getenv('CONTAINER_FLAVOR')}"
           METADATA = json.loads(os.getenv('METADATA_JSON'))
 
           digests = [f for f in os.listdir('.') if f.startswith('sha256:') or len(f) == 64]
@@ -152,16 +153,18 @@ jobs:
           subprocess.run(command, check=True)
         env:
           METADATA_JSON: ${{ steps.metadata.outputs.json }}
+          GH_REPO: ${{ github.repository }}
         shell: python
         working-directory: ${{ runner.temp }}/digests
       - name: Inspect manifest and extract digest
         id: inspect-manifest
         run: |
           set -Eeuo pipefail
-          output=$(docker buildx imagetools inspect "${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}:${CONTAINER_VERSION}" --format '{{json .}}')
+          output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${CONTAINER_VERSION}" --format '{{json .}}')
           echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
         env:
           CONTAINER_VERSION: ${{ steps.metadata.outputs.version }}
+          GH_REPO: ${{ github.repository }}
       - run: |
           set -Eeuo pipefail
           wget -O diffoci https://github.com/reproducible-containers/diffoci/releases/download/v0.1.7/diffoci-v0.1.7.linux-amd64
@@ -196,7 +199,8 @@ jobs:
           show-summary: false
           push-to-registry: true
       - name: Verify attestation
-        run: gh attestation verify --repo ${{ github.repository }} "oci://${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}@${DIGEST}"
+        run: gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}"
         env:
           DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
+          GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml
index c65c22d2..d4fcc621 100644
--- a/.github/workflows/wc-integration-test.yml
+++ b/.github/workflows/wc-integration-test.yml
@@ -34,8 +34,10 @@ jobs:
         with:
           path: ${{ runner.temp }}
           pattern: digests-${{ inputs.flavor }}-${{ steps.runner-arch.outputs.arch }}
-      - run: echo "container=$(printf "ghcr.io/${{ github.repository }}-${CONTAINER_FLAVOR}@sha256:%s " *)" >> "$GITHUB_OUTPUT"
+      - run: echo "container=$(printf "ghcr.io/${GH_REPO}-${CONTAINER_FLAVOR}@sha256:%s " *)" >> "$GITHUB_OUTPUT"
         working-directory: ${{ runner.temp }}/digests-${{ inputs.flavor }}-${{ steps.runner-arch.outputs.arch }}
+        env:
+          GH_REPO: ${{ github.repository }}
         id: set-container
   run-test:
     needs: determine-container