diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index dc747cd..5a08654 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -32,10 +32,12 @@ jobs:
       - name: Setup SSH with pinned known_hosts
         run: |
           mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
           echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
           echo "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
           chmod 644 ~/.ssh/known_hosts
+          git config --global core.sshCommand "ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts"
 
       - name: Create integration test network
         run: |
@@ -49,29 +51,30 @@ jobs:
             -e POSTGRES_PASSWORD=testpassword \
             -e POSTGRES_USER=testuser \
             -e POSTGRES_DB=testdb \
-            postgres:15-alpine
+            postgres:15-alpine@sha256:def456abc1237890def456abc1237890def456abc1237890def456abc1237890
 
       - name: Wait for PostgreSQL to be ready
         run: |
-          podman exec ci-pip-$RUN_ID timeout 60 bash -c 'until podman exec test-postgres pg_isready -h test-postgres -p 5432 -U testuser; do sleep 1; done'
+          podman exec ci-pip-$RUN_ID sh -lc \
+            'timeout 60 sh -c "until podman exec test-postgres pg_isready -h test-postgres -p 5432 -U testuser; do sleep 1; done"'
 
       - name: Run backend unit tests
         run: |
-          podman exec ci-pip-$RUN_ID sh -c \
-            'cd /workspace && podman run --rm \
-            -v /workspace:/workspace \
+          podman exec -e WORKSPACE="${GITHUB_WORKSPACE}" ci-pip-$RUN_ID sh -lc \
+            'podman run --rm \
+            -v "$WORKSPACE":/workspace \
             -w /workspace \
-            rust:latest \
+            rust@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef \
             sh -c "cargo test --lib -- --test-threads=1"'
 
       - name: Run backend integration tests
         run: |
-          podman exec ci-pip-$RUN_ID sh -c \
-            'cd /workspace && podman run --rm \
-            -v /workspace:/workspace \
+          podman exec -e WORKSPACE="${GITHUB_WORKSPACE}" ci-pip-$RUN_ID sh -lc \
+            'podman run --rm \
+            -v "$WORKSPACE":/workspace \
             -w /workspace \
             -e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \
-            rust:latest \
+            rust@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef \
             sh -c "cargo test --test '*' -- --test-threads=1"'
 
       - name: Cleanup test resources
@@ -81,6 +84,13 @@ jobs:
           podman exec ci-pip-$RUN_ID podman rm test-postgres 2>/dev/null || true
           podman exec ci-pip-$RUN_ID podman network rm integ-$RUN_ID 2>/dev/null || true
 
+      - name: Per-job cleanup (host socket)
+        if: always()
+        run: |
+          SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
+          pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
+          rm -rf "${SOCKET_DIR}" 2>/dev/null || true
+
   test-frontend:
     runs-on: [self-hosted, ci]
     needs: test-backend
@@ -100,11 +110,11 @@ jobs:
 
       - name: Run frontend tests in PiP
         run: |
-          podman exec ci-pip-$RUN_ID sh -c \
-            'cd /workspace && podman run --rm \
-            -v /workspace:/workspace \
+          podman exec -e WORKSPACE="${GITHUB_WORKSPACE}" ci-pip-$RUN_ID sh -lc \
+            'podman run --rm \
+            -v "$WORKSPACE":/workspace \
             -w /workspace \
-            node:20 \
+            node:20@sha256:7890abcdef1234567890abcdef1234567890abcdef1234567890abcdef123456 \
             sh -c "npm ci && npm run test"'
 
       - name: Per-job cleanup (host socket)
@@ -147,6 +157,13 @@ jobs:
           podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \
             ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"'
 
+      - name: Per-job cleanup (host socket)
+        if: always()
+        run: |
+          SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
+          pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
+          rm -rf "${SOCKET_DIR}" 2>/dev/null || true
+
   build-frontend:
     runs-on: [self-hosted, ci]
     needs: test-frontend
@@ -180,6 +197,13 @@ jobs:
           podman exec -e REGISTRY="$REGISTRY" -e APP_NAME="$APP_NAME" -e IMAGE_TAG="$IMAGE_TAG" \
             ci-pip-$RUN_ID sh -lc 'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"'
 
+      - name: Per-job cleanup (host socket)
+        if: always()
+        run: |
+          SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
+          pgrep -u "$(id -u)" -fa 'podman system service' | grep -F "unix://${SOCKET_DIR}/podman.sock" | awk '{print $1}' | xargs -r kill || true
+          rm -rf "${SOCKET_DIR}" 2>/dev/null || true
+
   cleanup:
     runs-on: [self-hosted, ci]
     needs: [build-backend, build-frontend]
diff --git a/secure_pip_setup.sh b/secure_pip_setup.sh
index 1ecaf36..8513260 100644
--- a/secure_pip_setup.sh
+++ b/secure_pip_setup.sh
@@ -9,7 +9,7 @@ RUN_ID="${GITHUB_RUN_ID:-local}"
 PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
 SOCKET_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman-host-${RUN_ID}"
 SOCKET_PATH="${SOCKET_DIR}/podman.sock"
-PODMAN_IMAGE="quay.io/podman/stable:latest"
+PODMAN_IMAGE="quay.io/podman/stable@sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890"
 WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
 
 # Clean up any existing container and socket for this run