diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a3c56679..ef0a6ae6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -43,6 +43,19 @@ jobs:
         # PR #120). Integration is now exclusively in nightly.yml.
         # -short skips 3 known-slow stress tests in pkg/daemon and
         # pkg/daemon/udpio; everything else runs.
-        env:
-          TMPDIR: ${{ runner.temp }}
-        run: go test -short -count=1 -timeout 600s ./pkg/... ./cmd/... ./internal/...
+        #
+        # macOS runners hand out a $RUNNER_TEMP (/Users/runner/work/_temp)
+        # whose ACLs make t.TempDir() fail with "mkdir ...: permission
+        # denied" (a recurring GitHub macos-runner issue, seen on #304/
+        # #306/#308) — and a writable subdir under it inherits the same
+        # restriction, so pointing TMPDIR there is not enough. Use a fresh
+        # mktemp dir under /tmp instead, which is writable by the test
+        # process. Ubuntu keeps the default $RUNNER_TEMP behaviour.
+        run: |
+          if [ "${RUNNER_OS}" = "macOS" ]; then
+            TMPDIR="$(mktemp -d /tmp/gotmp.XXXXXX)"
+            export TMPDIR
+          else
+            export TMPDIR="${RUNNER_TEMP}"
+          fi
+          go test -short -count=1 -timeout 600s ./pkg/... ./cmd/... ./internal/...
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index f56f788e..5206b5fd 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -40,10 +40,26 @@ jobs:
       - uses: actions/checkout@v7
         with:
           fetch-depth: 0
-      - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v2
+
+      # The gitleaks GitHub Action (gitleaks/gitleaks-action) requires a paid
+      # GITLEAKS_LICENSE secret for ORGANIZATION repos and fails with "missing
+      # gitleaks license". The gitleaks binary itself is MIT-licensed and free,
+      # so we run a version-pinned binary release directly — same scan, no
+      # license gate. The repo's .gitleaks.toml allowlist is read by default.
+      - name: Install gitleaks
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_VERSION: "8.30.1"
+        run: |
+          set -euo pipefail
+          curl -sSL -o /tmp/gitleaks.tar.gz \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
+          sudo install /tmp/gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
+      - name: Run gitleaks (full history)
+        run: |
+          gitleaks git --no-banner --redact --verbose .
 
   # gosec SAST. NON-GATING: the codebase carries pre-existing findings that are
   # by-design for a local CLI (G304/G703 reading user-named files, G204/G702