diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 8acd8df..a297242 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -24,22 +24,25 @@ env:
   NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }}         # e.g., docker.io/library/node@sha256:...
   POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:...
   PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest
-  PODMAN_SOCK: /run/user/999/podman/podman.sock
 
 jobs:
   test-backend:
     runs-on: [ci]
 
     container:
-      image: quay.io/podman/stable:latest
+      image: ghcr.io/catthehacker/ubuntu:act-22.04
 
     steps:
+      - name: Install Podman client
+        run: |
+          apt-get update
+          apt-get install -y podman jq
       - uses: actions/checkout@v4
 
       - name: Verify runner wiring to Podman
         run: |
           podman --version
-          test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
+          test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; }
           # Optional: sanity poke of the service via PiP later
 
       - name: Network/DNS sanity from job container
@@ -56,8 +59,8 @@ jobs:
 
       - name: Setup ephemeral PiP container
         env:
-          PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
-          SOCKET_PATH: ${{ env.PODMAN_SOCK }}
+          PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest
+          SOCKET_PATH: /run/user/999/podman/podman.sock
         run: |
           chmod +x ./secure_pip_setup.sh
           ./secure_pip_setup.sh
@@ -138,15 +141,19 @@ jobs:
     needs: test-backend
 
     container:
-      image: quay.io/podman/stable:latest
+      image: ghcr.io/catthehacker/ubuntu:act-22.04
 
     steps:
+      - name: Install Podman client
+        run: |
+          apt-get update
+          apt-get install -y podman jq
       - uses: actions/checkout@v4
 
       - name: Verify runner wiring to Podman
         run: |
           podman --version
-          test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
+          test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; }
           # Optional: sanity poke of the service via PiP later
 
       - name: Verify pinned digests provided
@@ -158,8 +165,8 @@ jobs:
 
       - name: Setup ephemeral PiP container
         env:
-          PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }}
-          SOCKET_PATH: ${{ env.PODMAN_SOCK }}
+          PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest
+          SOCKET_PATH: /run/user/999/podman/podman.sock
         run: |
           chmod +x ./secure_pip_setup.sh
           ./secure_pip_setup.sh
@@ -197,21 +204,25 @@ jobs:
     needs: test-frontend
 
     container:
-      image: quay.io/podman/stable:latest
+      image: ghcr.io/catthehacker/ubuntu:act-22.04
 
     steps:
+      - name: Install Podman client
+        run: |
+          apt-get update
+          apt-get install -y podman jq
       - uses: actions/checkout@v4
 
       - name: Verify runner wiring to Podman
         run: |
           podman --version
-          test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
+          test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; }
           # Optional: sanity poke of the service via PiP later
 
       - name: Setup ephemeral PiP container
         env:
-          PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }}
-          SOCKET_PATH: ${{ env.PODMAN_SOCK }}
+          PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest
+          SOCKET_PATH: /run/user/999/podman/podman.sock
         run: |
           chmod +x ./secure_pip_setup.sh
           ./secure_pip_setup.sh
@@ -265,21 +276,25 @@ jobs:
     needs: test-frontend
 
     container:
-      image: quay.io/podman/stable:latest
+      image: ghcr.io/catthehacker/ubuntu:act-22.04
 
     steps:
+      - name: Install Podman client
+        run: |
+          apt-get update
+          apt-get install -y podman jq
       - uses: actions/checkout@v4
 
       - name: Verify runner wiring to Podman
         run: |
           podman --version
-          test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
+          test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; }
           # Optional: sanity poke of the service via PiP later
 
       - name: Setup ephemeral PiP container
         env:
-          PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }}
-          SOCKET_PATH: ${{ env.PODMAN_SOCK }}
+          PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest
+          SOCKET_PATH: /run/user/999/podman/podman.sock
         run: |
           chmod +x ./secure_pip_setup.sh
           ./secure_pip_setup.sh
@@ -334,9 +349,13 @@ jobs:
     if: success()
 
     container:
-      image: quay.io/podman/stable:latest
+      image: ghcr.io/catthehacker/ubuntu:act-22.04
 
     steps:
+      - name: Install Podman client
+        run: |
+          apt-get update
+          apt-get install -y podman jq
       - uses: actions/checkout@v4
 
       - name: Verify Podman in job container