diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 00000000000..b014e60948b
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,9 @@
+# Configuration for actionlint.
+#
+# Blacksmith runners are self-hosted runners from GitHub Actions' perspective, so
+# actionlint needs to be told that these custom runner labels are valid.
+self-hosted-runner:
+  labels:
+    - blacksmith-*-ubuntu-*
+    - blacksmith-*-windows-*
+    - blacksmith-*-macos-*
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index 6fd2f73b4ab..2e6fc8ab38e 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -8,7 +8,7 @@ permissions:
 
 jobs:
   code-quality:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⬇️ Checkout repo
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0cac7c8595f..a150833d508 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,7 +20,7 @@ permissions:
 
 jobs:
   check-broken-links:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     defaults:
       run:
         working-directory: ./docs
diff --git a/.github/workflows/e2e-webapp-auth-full.yml b/.github/workflows/e2e-webapp-auth-full.yml
index de9d66c07e9..f92d6a78865 100644
--- a/.github/workflows/e2e-webapp-auth-full.yml
+++ b/.github/workflows/e2e-webapp-auth-full.yml
@@ -37,7 +37,7 @@ on:
 jobs:
   e2eAuthFull:
     name: "🛡️ E2E Auth Tests (full)"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 30
     env:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
diff --git a/.github/workflows/e2e-webapp.yml b/.github/workflows/e2e-webapp.yml
index f306a86cd28..f5eafe5e380 100644
--- a/.github/workflows/e2e-webapp.yml
+++ b/.github/workflows/e2e-webapp.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   e2eTests:
     name: "🧪 E2E Tests: Webapp"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 20
     env:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index a70f0400e0a..95ee9368d9c 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -20,7 +20,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [blacksmith-4vcpu-ubuntu-2404, blacksmith-4vcpu-windows-2025]
         package-manager: ["npm", "pnpm"]
     steps:
       - name: ⬇️ Checkout repo
diff --git a/.github/workflows/helm-prerelease.yml b/.github/workflows/helm-prerelease.yml
index afdb26fb6a2..b806d9396e5 100644
--- a/.github/workflows/helm-prerelease.yml
+++ b/.github/workflows/helm-prerelease.yml
@@ -28,7 +28,7 @@ env:
 
 jobs:
   lint-and-test:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     permissions:
       contents: read
     steps:
@@ -77,7 +77,7 @@ jobs:
       ((github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
       github.event_name == 'push' ||
       github.event_name == 'workflow_dispatch')
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     permissions:
       contents: read
       packages: write
diff --git a/.github/workflows/pr_checks.yml b/.github/workflows/pr_checks.yml
index 1fb3a47a45c..4dce7311e9d 100644
--- a/.github/workflows/pr_checks.yml
+++ b/.github/workflows/pr_checks.yml
@@ -48,6 +48,7 @@ jobs:
             typecheck_self:
               - '.github/workflows/pr_checks.yml'
               - '.github/workflows/typecheck.yml'
+              - '.github/workflows/code-quality.yml'
             webapp:
               - 'apps/webapp/**'
               - 'packages/**'
@@ -103,8 +104,6 @@ jobs:
               - 'turbo.json'
 
   code-quality:
-    needs: changes
-    if: needs.changes.outputs.code == 'true'
     uses: ./.github/workflows/code-quality.yml
 
   typecheck:
diff --git a/.github/workflows/sdk-compat.yml b/.github/workflows/sdk-compat.yml
index 1510af23181..e8cd6659d66 100644
--- a/.github/workflows/sdk-compat.yml
+++ b/.github/workflows/sdk-compat.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest]
+        os: [blacksmith-4vcpu-ubuntu-2404]
         node: ["20.20", "22.12"]
 
     steps:
@@ -54,7 +54,7 @@ jobs:
 
   bun-compat:
     name: "Bun Runtime"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -96,7 +96,7 @@ jobs:
 
   deno-compat:
     name: "Deno Runtime"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -142,7 +142,7 @@ jobs:
 
   cloudflare-compat:
     name: "Cloudflare Workers"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
index 91ec46f3a9a..63a9144bac9 100644
--- a/.github/workflows/typecheck.yml
+++ b/.github/workflows/typecheck.yml
@@ -8,7 +8,7 @@ permissions:
 
 jobs:
   typecheck:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-8vcpu-ubuntu-2404
 
     steps:
       - name: ⬇️ Checkout repo
diff --git a/.github/workflows/unit-tests-internal.yml b/.github/workflows/unit-tests-internal.yml
index 5a0e5622159..b31cc08ba06 100644
--- a/.github/workflows/unit-tests-internal.yml
+++ b/.github/workflows/unit-tests-internal.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   unitTests:
     name: "🧪 Unit Tests: Internal"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     strategy:
       # one flaky shard shouldn't cancel its siblings - lets us re-run only the failed shard
       fail-fast: false
@@ -130,7 +130,7 @@ jobs:
     name: "📊 Merge Reports"
     if: ${{ !cancelled() }}
     needs: [unitTests]
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/unit-tests-packages.yml b/.github/workflows/unit-tests-packages.yml
index 1102864c454..8ffb72af237 100644
--- a/.github/workflows/unit-tests-packages.yml
+++ b/.github/workflows/unit-tests-packages.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   unitTests:
     name: "🧪 Unit Tests: Packages"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     strategy:
       # one flaky shard shouldn't cancel its siblings - lets us re-run only the failed shard
       fail-fast: false
@@ -130,7 +130,7 @@ jobs:
     name: "📊 Merge Reports"
     if: ${{ !cancelled() }}
     needs: [unitTests]
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/unit-tests-webapp.yml b/.github/workflows/unit-tests-webapp.yml
index 8566014c49d..b0e9b0fb4dc 100644
--- a/.github/workflows/unit-tests-webapp.yml
+++ b/.github/workflows/unit-tests-webapp.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   unitTests:
     name: "🧪 Unit Tests: Webapp"
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     strategy:
       # one flaky shard shouldn't cancel its siblings - lets us re-run only the failed shard
       fail-fast: false
@@ -139,7 +139,7 @@ jobs:
     name: "📊 Merge Reports"
     if: ${{ !cancelled() }}
     needs: [unitTests]
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml
index 62406671fc5..ebd963497ce 100644
--- a/.github/workflows/workflow-checks.yml
+++ b/.github/workflows/workflow-checks.yml
@@ -7,11 +7,13 @@ on:
       - ".github/workflows/**"
       - ".github/actions/**"
       - ".github/zizmor.yml"
+      - ".github/actionlint.yaml"
   pull_request:
     paths:
       - ".github/workflows/**"
       - ".github/actions/**"
       - ".github/zizmor.yml"
+      - ".github/actionlint.yaml"
 
 permissions: {}
 
@@ -22,7 +24,7 @@ concurrency:
 jobs:
   actionlint:
     name: Actionlint
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     permissions:
       contents: read
     steps:
@@ -41,7 +43,7 @@ jobs:
     # variable to 'false' to skip this job where code scanning isn't available;
     # leave it unset (the default) to run the scan.
     if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }}
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     permissions:
       security-events: write # Upload SARIF to GitHub Security tab
       contents: read # Read workflow files for analysis