diff --git a/.flue/sandbox/Dockerfile b/.flue/sandbox/Dockerfile
index f5677d73db1c..310330aa8023 100644
--- a/.flue/sandbox/Dockerfile
+++ b/.flue/sandbox/Dockerfile
@@ -69,5 +69,8 @@ COPY .flue/sandbox/AGENTS.md /tmp/.config/opencode/AGENTS.md
 
 EXPOSE 48765
 
+# Default to the non-root user provided by the base image.
+USER node
+
 # Default: start OpenCode server listening on all interfaces
 CMD ["opencode", "serve", "--port", "48765", "--hostname", "0.0.0.0"]
diff --git a/.github/workflows/check-merge.yml b/.github/workflows/check-merge.yml
index 42db71d7f64d..b2716620d18e 100644
--- a/.github/workflows/check-merge.yml
+++ b/.github/workflows/check-merge.yml
@@ -39,38 +39,44 @@ jobs:
         with:
           files: |
             .changeset/**/*.md
-      # Intentionally ran after the changed-files step so the github API is used to identify
-      # changed files rather than a local git diff, this is more reliable for pull requests
-      # originating from a forked repository.
-      - name: Checkout files
-        id: checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        if: steps.changed-files.outputs.any_changed == 'true'
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          fetch-depth: 1
-          persist-credentials: false
-          sparse-checkout: |
-            .changeset
       - name: Check if any changesets contain minor or major changes
         id: check
         if: steps.changed-files.outputs.any_changed == 'true'
         env:
           ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
-        run: |
-          echo "Checking for changesets marked as minor or major"
-          echo "found=false" >> $GITHUB_OUTPUT
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            core.setOutput('found', 'false');
+
+            const regex = /["']astro["']: (minor|major)/;
+            const changedFiles = process.env.ALL_CHANGED_FILES.split(/\s+/).filter(Boolean);
+            const { owner, name: repo } = context.payload.pull_request.head.repo;
+            const ref = context.payload.pull_request.head.sha;
 
-          regex="[\"']astro[\"']: (minor|major)"
-          for file in ${ALL_CHANGED_FILES}; do
-              if [[ $(cat $file) =~ $regex ]]; then
-                  version="${BASH_REMATCH[1]}"
-                  echo "version=$version" >> $GITHUB_OUTPUT
-                  echo "found=true" >> $GITHUB_OUTPUT
-                  echo "$file has a $version release tag"
-              fi
-          done
+            for (const file of changedFiles) {
+              const { data } = await github.rest.repos.getContent({
+                owner: owner.login,
+                repo,
+                path: file,
+                ref,
+              });
+
+              if (Array.isArray(data) || !('content' in data)) {
+                continue;
+              }
+
+              const contents = Buffer.from(data.content, 'base64').toString('utf8');
+              const match = contents.match(regex);
+
+              if (match) {
+                const version = match[1];
+                core.setOutput('version', version);
+                core.setOutput('found', 'true');
+                console.log(`${file} has a ${version} release tag`);
+                break;
+              }
+            }
 
       - name: Add label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
diff --git a/.gitpod/gitpod-setup.sh b/.gitpod/gitpod-setup.sh
index b1ba15d2d84c..7dccbf1694a6 100755
--- a/.gitpod/gitpod-setup.sh
+++ b/.gitpod/gitpod-setup.sh
@@ -4,7 +4,10 @@
 mapfile -t CONTEXT_URL_ITEMS < <(echo "$GITPOD_WORKSPACE_CONTEXT_URL" | tr '/' '\n')
 
 # Install latest pnpm
-curl -fsSL https://get.pnpm.io/install.sh | SHELL=`which bash` bash -
+PNPM_INSTALL_SCRIPT="$(mktemp)"
+curl -fsSL https://get.pnpm.io/install.sh -o "$PNPM_INSTALL_SCRIPT"
+SHELL="$(command -v bash)" bash "$PNPM_INSTALL_SCRIPT"
+rm -f "$PNPM_INSTALL_SCRIPT"
 
 # Check if Gitpod started from a specific example directory in the repository
 if [ "${CONTEXT_URL_ITEMS[7]}" = "examples" ]; then
diff --git a/scripts/turbo-run-affected.js b/scripts/turbo-run-affected.js
index e2888e59d55c..0485cb3477e3 100644
--- a/scripts/turbo-run-affected.js
+++ b/scripts/turbo-run-affected.js
@@ -49,7 +49,8 @@ for (let i = 0; i < args.length; i += 1) {
 	turboArgs.push(arg);
 }
 
-// On Windows, spawn via the shell so command resolution handles pnpm.cmd.
+// On Windows, spawn via the shell so command resolution handles pnpm.cmd
+// and special characters in turbo filter expressions (globs, brackets, etc.).
 const isWindows = process.platform === 'win32';
 const pnpmCommand = 'pnpm';
 const commandArgs = ['exec', 'turbo', 'run', ...turboArgs];