diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml
index edcc499dc8..a066cbde55 100644
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -15,7 +15,7 @@ defaults:
 
 jobs:
   check-expected-release-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     permissions:
       contents: read
diff --git a/.github/workflows/label-pr-size.yml b/.github/workflows/label-pr-size.yml
index 83ec360f57..965a4a8587 100644
--- a/.github/workflows/label-pr-size.yml
+++ b/.github/workflows/label-pr-size.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   sizeup:
     name: Label PR with size
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     steps:
       - name: Run sizeup
diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml
index b5c0f27b54..c59e6c8890 100644
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index 82fa18e3b8..dad6fce39a 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.repository == 'github/codeql-action'
 
     permissions:
diff --git a/.github/workflows/publish-immutable-action.yml b/.github/workflows/publish-immutable-action.yml
index effe2255a2..9350bf2b28 100644
--- a/.github/workflows/publish-immutable-action.yml
+++ b/.github/workflows/publish-immutable-action.yml
@@ -10,7 +10,7 @@ defaults:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml
index 8c0f8274e7..f2c3cd40cb 100644
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests
diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml
index 69700a35f6..830ed7c2a5 100644
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml
index 35d4ba01f4..b6cbe01510 100644
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -9,7 +9,7 @@ jobs:
   update-supported-enterprise-server-versions:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.repository == 'github/codeql-action'
     permissions:
       contents: write # needed to push commits