diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 43424823d7..5e7a91919c 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -14,8 +14,8 @@ jobs:
     - name: Checkout Commit
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
       with:
-        standalone: true
+        install: false
     - name: Audit
       run: pn audit
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 47a4fc7512..19d32a560d 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -46,24 +46,16 @@ jobs:
         git checkout "origin/pr-${PR_NUMBER}"
         echo "Checked out PR #$PR_NUMBER at $(git rev-parse --short HEAD)"
 
-    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+    - name: Install pnpm and Node
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
       with:
-        standalone: true
-
-    - name: Setup Node
-      run: pnpm runtime -g set node 26.0.0
-      timeout-minutes: 2
+        runtime: node@26.0.0
 
     - name: Install hyperfine
       run: |
         wget -q https://github.com/sharkdp/hyperfine/releases/download/v1.18.0/hyperfine_1.18.0_amd64.deb
         sudo dpkg -i hyperfine_1.18.0_amd64.deb
 
-    - name: Install dependencies
-      run: pnpm install
-      timeout-minutes: 5
-
     - name: Compile
       run: pnpm run compile
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b622739376..3c16ef5170 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,12 +19,7 @@ jobs:
     - name: Checkout Commit
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
-      with:
-        standalone: true
-    - name: pnpm install
-      run: pn install
-      timeout-minutes: 3
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
     - name: Compile TypeScript
       run: pn compile-only
     - name: Lint
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 65dd07a02d..5a0b1d595d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,15 +22,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      - name: Install pnpm and Node
+        uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
         with:
-          standalone: true
-      - name: Setup Node
-        run: pn runtime -g set node 26.0.0
-        timeout-minutes: 2
-      - name: pnpm install
-        run: pn install
+          runtime: node@26.0.0
       # The publish phase is split into three sequential steps to control which packages
       # use trusted publishing (OIDC) vs. a static token. `pnpm publish` currently bails
       # out of OIDC as soon as a static `_authToken` is configured, so the only way to
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6c0c4e6195..de7ca00d42 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,19 +30,10 @@ jobs:
         git config --global user.email "x@y.z"
     - name: Checkout Commit
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+    - name: Install pnpm and Node
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
       with:
-        standalone: true
-    - name: Setup Node
-      run: pn runtime -g set node ${{ inputs.node }}
-      timeout-minutes: 2
-    # npm is needed for preparing git-hosted dependencies (e.g. in dlx tests)
-    - name: Verify npm
-      run: npm --version
-    - name: pnpm install
-      run: pn install --no-runtime
-      timeout-minutes: 3
+        runtime: node@${{ inputs.node }}
     - name: Verify Node version
       shell: bash
       run: |
@@ -52,6 +43,11 @@ jobs:
           echo "Expected Node version $expected but got $actual"
           exit 1
         fi
+    # npm is needed for preparing git-hosted dependencies (e.g. in dlx tests).
+    # `pnpm runtime set node` does not extract npm; the runner image's
+    # pre-installed Node toolchain provides it on PATH.
+    - name: Verify npm
+      run: npm --version
     - name: Download compiled artifacts
       uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
       with:
diff --git a/.github/workflows/update-lockfile.yml b/.github/workflows/update-lockfile.yml
index 955cc04abe..ff63ebd655 100644
--- a/.github/workflows/update-lockfile.yml
+++ b/.github/workflows/update-lockfile.yml
@@ -19,14 +19,12 @@ jobs:
       with:
         token: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
 
+    # The job deletes the lockfile and regenerates it with `--lockfile-only`,
+    # so skip the action's auto-install — it would just be wasted work.
     - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
       with:
-        standalone: true
-
-    - name: Setup Node
-      run: pnpm runtime -g set node 24.6.0
-      timeout-minutes: 2
+        install: false
 
     - name: Update lockfile
       run: |