diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 35f9597ff..1df511df6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -29,7 +29,7 @@ env:
 jobs:
   build-dev-environment:
     name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     strategy:
       matrix:
         include:
diff --git a/.github/workflows/check_push.yml b/.github/workflows/check_push.yml
new file mode 100644
index 000000000..c7d727151
--- /dev/null
+++ b/.github/workflows/check_push.yml
@@ -0,0 +1,23 @@
+name: Check branch conformity
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - "test/**"
+
+jobs:
+  prevent-fixup-commits:
+      runs-on: ubuntu-24
+      env:
+        target: debian-bookworm
+        distro: debian
+        version: bookworm
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v4
+        - name: prevent fixup commits
+          run: |
+            git fetch origin
+            git status
+            git log --pretty=format:%s origin/main..HEAD | grep -ie '^fixup\|^wip' && exit 1 || true
diff --git a/.github/workflows/check_repos.yml b/.github/workflows/check_repos.yml
index db33f9a65..1e165c7c3 100644
--- a/.github/workflows/check_repos.yml
+++ b/.github/workflows/check_repos.yml
@@ -10,11 +10,15 @@ on:
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "test/**"
 
 jobs:
   install-from-apt-repo:
     name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     container: ${{ matrix.distro }}:${{ matrix.version }}
     strategy:
       matrix:
@@ -70,7 +74,7 @@ jobs:
 
   install-from-yum-repo:
     name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     container: ${{ matrix.distro }}:${{ matrix.version }}
     strategy:
       matrix:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4af11d27c..050abbd07 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ concurrency:
 
 jobs:
   run-lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     container:
       image: debian:bookworm
     steps:
@@ -78,7 +78,7 @@ jobs:
 
   download-tessdata:
     name: Download and cache Tesseract data
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
     - uses: actions/checkout@v4
     - name: Cache Tessdata
@@ -183,7 +183,7 @@ jobs:
     needs:
       - build-container-image
     name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     strategy:
       matrix:
         include:
@@ -250,8 +250,8 @@ jobs:
 
   install-deb:
     name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
-    runs-on: ubuntu-latest
-    needs:
+    runs-on: ubuntu-24
+    needs: 
       - build-deb
     strategy:
       matrix:
@@ -305,7 +305,7 @@ jobs:
 
   build-install-rpm:
     name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     needs:
       - build-container-image
     strategy:
@@ -377,7 +377,7 @@ jobs:
 
   run-tests:
     name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     needs:
       - build-container-image
       - download-tessdata
diff --git a/.github/workflows/close-issues.yml b/.github/workflows/close-issues.yml
index cf503fd7b..aeda14b05 100644
--- a/.github/workflows/close-issues.yml
+++ b/.github/workflows/close-issues.yml
@@ -2,10 +2,14 @@ name: Close inactive issues
 on:
   schedule:
     - cron: "30 1 * * *"
+  push:
+    branches:
+      - main
+      - "test/**"
 
 jobs:
   close-issues:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     permissions:
       issues: write
     steps:
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index d98510927..fafef1fba 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+      - "test/**"
   pull_request:
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
@@ -10,7 +11,7 @@ on:
 
 jobs:
   security-scan-container:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -51,7 +52,7 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml
index 0333e4925..6502446e3 100644
--- a/.github/workflows/scan_released.yml
+++ b/.github/workflows/scan_released.yml
@@ -1,5 +1,9 @@
 name: Scan released app and container
 on:
+  push:
+    branches:
+      - main
+      - "test/**"
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:
@@ -9,7 +13,7 @@ jobs:
     strategy:
       matrix:
         include:
-          - runs-on: ubuntu-latest
+          - runs-on: ubuntu-24
             arch: i686
           # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
           # - runs-on: macos-latest
@@ -55,7 +59,7 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
       - name: Checkout
         uses: actions/checkout@v4