diff --git a/.gitea/workflows/android-build.yml b/.gitea/workflows/android-build.yml
index ccd0801..a692826 100644
--- a/.gitea/workflows/android-build.yml
+++ b/.gitea/workflows/android-build.yml
@@ -63,8 +63,8 @@ jobs:
 
             - name: Install system dependencies
               run: |
-                  sudo apt-get update
-                  sudo apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng cmake ninja-build clang pkg-config
+                  sh scripts/ci/exec-priv.sh apt-get update
+                  sh scripts/ci/exec-priv.sh apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng cmake ninja-build clang pkg-config
 
             - name: Setup Task
               run: sh scripts/ci/setup-task.sh
diff --git a/.gitea/workflows/build-test.yml b/.gitea/workflows/build-test.yml
index f70699f..3e916e5 100644
--- a/.gitea/workflows/build-test.yml
+++ b/.gitea/workflows/build-test.yml
@@ -47,9 +47,9 @@ jobs:
 
             - name: Install system dependencies
               run: |
-                  sudo dpkg --add-architecture i386
-                  sudo apt-get update
-                  sudo apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils appstream appstream-util
+                  sh scripts/ci/exec-priv.sh dpkg --add-architecture i386
+                  sh scripts/ci/exec-priv.sh apt-get update
+                  sh scripts/ci/exec-priv.sh apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils appstream appstream-util
 
             - name: Setup Task
               run: sh scripts/ci/setup-task.sh
diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 6370102..c18e51e 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -86,9 +86,9 @@ jobs:
 
             - name: Install system dependencies
               run: |
-                  sudo dpkg --add-architecture i386
-                  sudo apt-get update
-                  sudo apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils
+                  sh scripts/ci/exec-priv.sh dpkg --add-architecture i386
+                  sh scripts/ci/exec-priv.sh apt-get update
+                  sh scripts/ci/exec-priv.sh apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils
 
             - name: Setup Task
               run: sh scripts/ci/setup-task.sh
@@ -133,7 +133,7 @@ jobs:
 
                   # Generate SBOM (CycloneDX)
                   curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
                   trivy fs --format cyclonedx --include-dev-deps --output release-assets/sbom.cyclonedx.json .
 
                   # Generate checksums
diff --git a/.gitea/workflows/docker.yml b/.gitea/workflows/docker.yml
index 96b56ed..5f3a385 100644
--- a/.gitea/workflows/docker.yml
+++ b/.gitea/workflows/docker.yml
@@ -44,7 +44,7 @@ jobs:
             - name: Download Trivy
               run: |
                   curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
 
             - name: Trivy FS scan
               run: trivy fs --exit-code 1 .
@@ -100,7 +100,7 @@ jobs:
             - name: Download Trivy
               run: |
                   curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
 
             - name: Trivy FS scan
               run: trivy fs --exit-code 1 .
diff --git a/.gitea/workflows/scan.yml b/.gitea/workflows/scan.yml
index c9cac42..9141df1 100644
--- a/.gitea/workflows/scan.yml
+++ b/.gitea/workflows/scan.yml
@@ -52,7 +52,7 @@ jobs:
             - name: Download Trivy
               run: |
                   curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
 
             - name: Trivy FS scan
               run: trivy fs --exit-code 1 --skip-dirs .pnpm-store .
diff --git a/scripts/ci/exec-priv.sh b/scripts/ci/exec-priv.sh
new file mode 100644
index 0000000..7d6a59d
--- /dev/null
+++ b/scripts/ci/exec-priv.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Run a command with root privileges: use sudo only when not root (Docker/act often have no sudo).
+# Usage: sh scripts/ci/exec-priv.sh apt-get update
+set -eu
+
+. "$(dirname "$0")/priv.sh"
+run_priv "$@"