diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
index f2b6dcd58c..28b5cca1c2 100644
--- a/.github/workflows/build-and-publish.yml
+++ b/.github/workflows/build-and-publish.yml
@@ -9,9 +9,56 @@ on:
         value: '${{ jobs.publish-bundle.outputs.version }}'
 
 jobs:
+  lint:
+    name: 'Lint'
+    runs-on: 'gemini-cli-ubuntu-16-core'
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+        with:
+          ref: '${{ github.event.inputs.branch_ref || github.ref }}'
+          fetch-depth: 0
+
+      - name: 'Set up Node.js'
+        uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4.4.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
+
+      - name: 'Install dependencies'
+        run: 'npm ci'
+
+      - name: 'Validate NOTICES.txt'
+        run: 'git diff --exit-code packages/vscode-ide-companion/NOTICES.txt'
+
+      - name: 'Check lockfile'
+        run: 'npm run check:lockfile'
+
+      - name: 'Install linters'
+        run: 'node scripts/lint.js --setup'
+
+      - name: 'Run ESLint'
+        run: 'node scripts/lint.js --eslint'
+
+      - name: 'Run actionlint'
+        run: 'node scripts/lint.js --actionlint'
+
+      - name: 'Run shellcheck'
+        run: 'node scripts/lint.js --shellcheck'
+
+      - name: 'Run yamllint'
+        run: 'node scripts/lint.js --yamllint'
+
+      - name: 'Run Prettier'
+        run: 'node scripts/lint.js --prettier'
+
+      - name: 'Run sensitive keyword linter'
+        run: 'node scripts/lint.js --sensitive-keywords'
+
   publish-bundle:
     name: 'Publish Bundle'
     runs-on: 'gemini-cli-ubuntu-16-core'
+    needs: ['lint']
     outputs:
       version: '${{ steps.version.outputs.version }}'
     permissions:
@@ -49,7 +96,7 @@ jobs:
         run: |
           CURRENT_VERSION=$(node -p "require('./package.json').version")
           NEW_VERSION="${CURRENT_VERSION}-ci.${{ github.run_number }}.${{ github.sha }}"
-          echo "version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+          echo "version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
           npm version --no-git-tag-version "${NEW_VERSION}"
 
       - name: 'Publish to GitHub Packages'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 97df506cfb..988d2ab725 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,57 +23,9 @@ defaults:
     shell: 'bash'
 
 jobs:
-  lint:
-    name: 'Lint'
-    runs-on: 'gemini-cli-ubuntu-16-core'
-    steps:
-      - name: 'Checkout'
-        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
-        with:
-          ref: '${{ github.event.inputs.branch_ref || github.ref }}'
-          fetch-depth: 0
-
-      - name: 'Set up Node.js'
-        uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4.4.0
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'npm'
-
-      - name: 'Install dependencies'
-        run: 'npm ci'
-
-      - name: 'Validate NOTICES.txt'
-        run: 'git diff --exit-code packages/vscode-ide-companion/NOTICES.txt'
-
-      - name: 'Check lockfile'
-        run: 'npm run check:lockfile'
-
-      - name: 'Install linters'
-        run: 'node scripts/lint.js --setup'
-
-      - name: 'Run ESLint'
-        run: 'node scripts/lint.js --eslint'
-
-      - name: 'Run actionlint'
-        run: 'node scripts/lint.js --actionlint'
-
-      - name: 'Run shellcheck'
-        run: 'node scripts/lint.js --shellcheck'
-
-      - name: 'Run yamllint'
-        run: 'node scripts/lint.js --yamllint'
-
-      - name: 'Run Prettier'
-        run: 'node scripts/lint.js --prettier'
-
-      - name: 'Run sensitive keyword linter'
-        run: 'node scripts/lint.js --sensitive-keywords'
-
   test_linux:
     name: 'Test (Linux)'
     runs-on: 'gemini-cli-ubuntu-16-core'
-    needs:
-      - 'lint'
     permissions:
       contents: 'read'
       checks: 'write'
@@ -134,8 +86,6 @@ jobs:
   test_mac:
     name: 'Test (Mac)'
     runs-on: '${{ matrix.os }}'
-    needs:
-      - 'lint'
     permissions:
       contents: 'read'
       checks: 'write'
@@ -320,7 +270,6 @@ jobs:
     name: 'CI'
     if: 'always()'
     needs:
-      - 'lint'
       - 'test_linux'
       - 'test_mac'
       - 'codeql'
@@ -329,8 +278,7 @@ jobs:
     steps:
       - name: 'Check all job results'
         run: |
-          if [[ (${{ needs.lint.result }} != 'success' && ${{ needs.lint.result }} != 'skipped') || \
-               (${{ needs.test_linux.result }} != 'success' && ${{ needs.test_linux.result }} != 'skipped') || \
+          if [[ (${{ needs.test_linux.result }} != 'success' && ${{ needs.test_linux.result }} != 'skipped') || \
                (${{ needs.test_mac.result }} != 'success' && ${{ needs.test_mac.result }} != 'skipped') || \
                (${{ needs.codeql.result }} != 'success' && ${{ needs.codeql.result }} != 'skipped') || \
                (${{ needs.bundle_size.result }} != 'success' && ${{ needs.bundle_size.result }} != 'skipped') ]]; then
diff --git a/.github/workflows/orchestrator.yml b/.github/workflows/orchestrator.yml
index da6bcb6039..0ac12c6672 100644
--- a/.github/workflows/orchestrator.yml
+++ b/.github/workflows/orchestrator.yml
@@ -20,7 +20,6 @@ permissions:
   deployments: 'read'
   discussions: 'read'
   issues: 'read'
-  models: 'read'
   pages: 'read'
   repository-projects: 'read'
   id-token: 'write'