diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 66dbbf487..408292746 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -559,6 +559,60 @@ jobs:
       lint: false
       verbose: true
     secrets: inherit
+  compatibility_tests:
+    strategy:
+      max-parallel: 4
+      fail-fast: false
+      matrix:
+        container:
+          - id: debian:bullseye
+          - id: debian:bookworm
+          - id: nixos/nix:latest
+            nix_shell: 'nix-shell -p python3 gcc gnumake perl'
+    name: Compatibility tests (${{ matrix.container.id }})
+    runs-on: ubuntu-latest
+    container:
+      ${{ matrix.container.id }}
+    steps:
+      # We're not using the checkout action here because on it's not supported
+      # on all containers we want to test. Resort to a manual checkout.
+
+      # We can't hoist this into an action since calling an action can only
+      # be done after checkout.
+      - name: Manual checkout
+        shell: bash
+        run: |
+          if (which yum > /dev/null); then
+             yum install git -y
+          elif (which apt > /dev/null); then
+             apt update
+             apt install git -y
+          fi
+
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+          git init
+          git remote add origin $GITHUB_SERVER_URL/$GITHUB_REPOSITORY
+          git fetch origin --depth 1 $GITHUB_SHA
+          git checkout FETCH_HEAD
+      - uses: ./.github/actions/setup-os
+        with:
+          sudo: ""
+      - name: make quickcheck
+        shell: bash
+        run: |
+          if [ -n "${{ matrix.container.nix_shell }}" ]; then
+            ${{ matrix.container.nix_shell }} --run "CC=gcc OPT=0 make quickcheck && make clean >/dev/null && CC=gcc OPT=1 make quickcheck"
+          else
+            CC=gcc OPT=0 make quickcheck
+            make clean >/dev/null
+            CC=gcc OPT=1 make quickcheck
+          fi
+      - name: Functional Tests
+        uses: ./.github/actions/multi-functest
+        with:
+          nix-shell: ""
+          custom_shell: ${{ matrix.container.nix_shell && format('{0} --run \"bash -e {{0}}\"', matrix.container.nix_shell) || 'bash' }}
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
   check_autogenerated_files:
     strategy:
       fail-fast: false
diff --git a/META.sh b/META.sh
index 8de8122bc..21edbff22 100755
--- a/META.sh
+++ b/META.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # Copyright (c) The mlkem-native project authors
 # Copyright (c) The mldsa-native project authors
 # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
diff --git a/Makefile b/Makefile
index 5bae6e416..73e17ebb5 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@
 	run_size_44 run_size_65 run_size_87 run_size \
 	host_info
 
-SHELL := /bin/bash
+SHELL := /usr/bin/env bash
 .DEFAULT_GOAL := build
 
 all: build
diff --git a/proofs/cbmc/Makefile.common b/proofs/cbmc/Makefile.common
index 43d69d38c..0ee37ad53 100644
--- a/proofs/cbmc/Makefile.common
+++ b/proofs/cbmc/Makefile.common
@@ -88,7 +88,7 @@ CBMC_STARTER_KIT_VERSION = CBMC starter kit 2.11
 # results that are hard to explain.  Dependency handling in this
 # Makefile.common may not be perfect.
 
-SHELL=/bin/bash
+SHELL=/usr/bin/env bash
 
 default: report
 
diff --git a/proofs/cbmc/lib/z3_no_bv_extract b/proofs/cbmc/lib/z3_no_bv_extract
index ca0358d31..6affe9ec5 100755
--- a/proofs/cbmc/lib/z3_no_bv_extract
+++ b/proofs/cbmc/lib/z3_no_bv_extract
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # Copyright (c) The mlkem-native project authors
 # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT