diff --git a/.github/workflows/build-nix.yml b/.github/workflows/build-nix.yml
index e28d8a8ed5..19c03a338b 100644
--- a/.github/workflows/build-nix.yml
+++ b/.github/workflows/build-nix.yml
@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-14]
+        os: [ubuntu-24.04, macos-14]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15 # NOTE (aseipp): keep in-sync with the build.yml timeout limit
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b771cb1862..577b7bce56 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,10 +20,10 @@ jobs:
       fail-fast: false
       matrix:
         # macos-13 is x86; macos-14 is ARM
-        os: [ubuntu-latest, macos-13, macos-14, windows-latest]
+        os: [ubuntu-24.04, macos-13, macos-14, windows-latest]
         cargo_flags: [""]
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-24.04
           cargo_flags: "--all-features"
     runs-on: ${{ matrix.os }}
 
@@ -81,7 +81,7 @@ jobs:
 
   build-no-git:
     name: Build jj-lib without Git support
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -95,7 +95,7 @@ jobs:
 
   check-protos:
     name: Check protos
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
@@ -109,7 +109,7 @@ jobs:
 
   rustfmt:
     name: Check formatting
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
@@ -120,7 +120,7 @@ jobs:
 
   check-doctests:
     name: Run doctests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
@@ -140,7 +140,7 @@ jobs:
 
   mkdocs:
     name: Check that MkDocs can build the docs
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
@@ -158,7 +158,7 @@ jobs:
   # An optional job to alert us when uv updates break the build
   mkdocs-latest:
     name: Check that MkDocs can build the docs with latest Python and uv
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Install uv
@@ -169,7 +169,7 @@ jobs:
         run: uv run --python-preference=only-managed -- mkdocs build --strict
 
   cargo-deny:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         checks:
@@ -189,7 +189,7 @@ jobs:
     name: Clippy check
     permissions:
       checks: write
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 37870813be..9780fec105 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -15,7 +15,7 @@ permissions: read-all
 jobs:
   codespell:
     name: Codespell
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index 7b935d2e98..5c3844f009 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
     - name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 7aa13a8a77..ab0e2e3ec7 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -13,7 +13,7 @@ jobs:
     if: github.repository_owner == 'martinvonz' # Stops this job from running on forks
     strategy:
       matrix:
-        os: [ubuntu-latest]
+        os: [ubuntu-24.04]
     runs-on: ${{ matrix.os }}
 
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e35ab04cc5..b816cf79d9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -87,7 +87,7 @@ jobs:
         asset_content_type: application/octet-stream
 
   docs-release-archive:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
 
@@ -121,7 +121,7 @@ jobs:
           asset_content_type: application/octet-stream
 
   docs-deploy-website-latest-release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
 
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 60e8dae90a..ae6f310b1f 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -13,7 +13,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write