diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 132344ce2c..18ab91b5ae 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -123,30 +123,30 @@ jobs:
           trap 'echo "::endgroup::"' EXIT
           pnpm install --frozen-lockfile --prefer-offline
 
-      - name: UI Anti-Pattern Audit - Gate
-        shell: bash
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo "::group::Audit"
-          trap 'echo "::endgroup::"' EXIT
-          # Ensure local python bin is on path for td-cli
-          export PATH="$HOME/.local/bin:/github/home/.local/bin:$PATH"
-          if ! node scripts/detect-antipatterns.mjs; then echo "Audit failed"; exit 1; fi
-          td-cli gh audit-gate
-
-      - name: Design Token Compliance
-        run: |
-          # Check for raw hex colors not in tokens.css
-          VIOLATIONS=$(grep -rn '#[0-9a-fA-F]\{3,6\}' src/features src/pages \
-            --include="*.tsx" \
-            | grep -vc "design-tokens\|tokens.css\|// impeccable-ignore" || echo 0)
-          if [ "$VIOLATIONS" -gt 0 ]; then
-            echo "⚠️ Found $VIOLATIONS raw hex color(s) in tsx files. Use CSS variables instead."
-            grep -rn '#[0-9a-fA-F]\{3,6\}' src/features src/pages --include="*.tsx" | grep -v "design-tokens\|tokens.css"
-            exit 1
-          fi
-          echo "✅ Design token compliance passed."
+      - parallel:
+          - name: UI Anti-Pattern Audit - Gate
+            shell: bash
+            env:
+              GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            run: |
+              echo "::group::Audit"
+              trap 'echo "::endgroup::"' EXIT
+              # Ensure local python bin is on path for td-cli
+              export PATH="$HOME/.local/bin:/github/home/.local/bin:$PATH"
+              if ! node scripts/detect-antipatterns.mjs; then echo "Audit failed"; exit 1; fi
+              td-cli gh audit-gate
+
+          - name: Design Token Compliance
+            run: |
+              # Dynamic search for TSX files to avoid hardcoded paths.
+              VIOLATIONS=$(find . -name "*.tsx" -not -path "*/node_modules/*" -type f | xargs grep -h '#[0-9a-fA-F]\{3,6\}' \
+                | grep -vc "design-tokens\|tokens.css\|// impeccable-ignore" || echo 0)
+              if [ "$VIOLATIONS" -gt 0 ]; then
+                echo "⚠️ Found $VIOLATIONS raw hex color(s) in tsx files. Use CSS variables instead."
+                find . -name "*.tsx" -not -path "*/node_modules/*" -type f | xargs grep -rn '#[0-9a-fA-F]\{3,6\}' | grep -v "design-tokens\|tokens.css"
+                exit 1
+              fi
+              echo "✅ Design token compliance passed."
 
   test-build:
     name: Build & E2E
@@ -186,6 +186,8 @@ jobs:
 
 
       - name: Bundle Size Check
+        id: bundle-size
+        background: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -228,6 +230,17 @@ jobs:
           retention-days: 7
           if-no-files-found: ignore
 
+      - name: Wait for Bundle Size Check
+        wait: bundle-size
+
+      - name: Verify Bundle Size Check
+        if: always()
+        run: |
+          if [ "${{ steps.bundle-size.outcome }}" = "failure" ]; then
+            echo "Bundle Size Check failed in background"
+            exit 1
+          fi
+
   impact-analysis:
     needs: [verify-changes, lint-typecheck, audit, test-build]
     name: Deployment Impact Analysis
@@ -257,24 +270,19 @@ jobs:
 
       - run: pnpm install --frozen-lockfile --prefer-offline
 
-      - name: Deployment Impact Analysis
-        run: pnpm run impact:analysis
-      - name: Build Main
-        env:
-          DISABLE_MINIFY: true
-        run: pnpm run impact:build-main
-      - name: Build PR
-        env:
-          VITE_BASE_PATH: /
-          DISABLE_MINIFY: true
-        run: pnpm run build:review
-      - name: Visual Diff
-        run: pnpm run impact:visual-diff
-      - name: DOM Diff
-        run: pnpm run impact:dom-diff
-      - name: Check if visual changes exist
-        id: check_visuals
-        run: pnpm exec tsx scripts/check-visual-changes.ts >> "$GITHUB_OUTPUT"
+      - parallel:
+          - name: Deployment Impact Analysis
+            run: pnpm run impact:analysis
+          - name: Build Main
+            env:
+              DISABLE_MINIFY: true
+            run: pnpm run impact:build-main
+          - name: Build PR
+            env:
+              VITE_BASE_PATH: /
+              DISABLE_MINIFY: true
+            run: pnpm run build:review
+
       - name: Code review agent
         if: always() && github.event_name == 'pull_request'
         continue-on-error: true
@@ -282,23 +290,37 @@ jobs:
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: pnpm run impact:gemini-code-review
+
       - name: Code review github models agent
         if: always() && github.event_name == 'pull_request'
         continue-on-error: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: pnpm run impact:github-models-code-review
+
+      - parallel:
+          - name: Visual Diff
+            run: pnpm run impact:visual-diff
+          - name: DOM Diff
+            run: pnpm run impact:dom-diff
+
+      - name: Check if visual changes exist
+        id: check_visuals
+        run: pnpm exec tsx scripts/check-visual-changes.ts >> "$GITHUB_OUTPUT"
+
       - name: Visual review agent
         if: always() && steps.check_visuals.outputs.changed_routes != '0' && steps.check_visuals.outputs.changed_routes != ''
         env:
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: pnpm run impact:gemini-review
+
       - name: Visual review github models agent
         if: always() && steps.check_visuals.outputs.changed_routes != '0' && steps.check_visuals.outputs.changed_routes != ''
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: pnpm run impact:github-models-review
+
       - name: Report Summary
         if: always()
         run: |
diff --git a/.github/workflows/workflow-validation.yml b/.github/workflows/workflow-validation.yml
index e4b23f01a0..30d265a24d 100644
--- a/.github/workflows/workflow-validation.yml
+++ b/.github/workflows/workflow-validation.yml
@@ -35,11 +35,21 @@ jobs:
       - name: Download actionlint
         id: get_actionlint
         run: |
-          curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash > download-actionlint.sh
-          bash download-actionlint.sh
+          # Pin to a specific version and commit for security
+          # Current commit for v1.7.12 as of 2026-06-26
+          curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/914e7df21a07ef503a81201c76d2b11c789d3fca/scripts/download-actionlint.bash > download-actionlint.sh
+          bash download-actionlint.sh 1.7.12
           rm download-actionlint.sh
         shell: bash
 
       - name: Lint workflow logic with actionlint
-        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        run: |
+          # Ignore 'background', 'parallel', and 'wait' keywords as actionlint does
+          # not yet support these new GitHub Actions features.
+          ./actionlint \
+            -ignore 'step must run script with "run" section' \
+            -ignore 'unexpected key "background"' \
+            -ignore 'unexpected key "parallel"' \
+            -ignore 'unexpected key "wait"' \
+            -color
         shell: bash