diff --git a/.github/workflows/build_release_assets.yml b/.github/workflows/build_release_assets.yml
index 7dfeda6fa2..6ec0988ba9 100644
--- a/.github/workflows/build_release_assets.yml
+++ b/.github/workflows/build_release_assets.yml
@@ -42,6 +42,7 @@ jobs:
   build_os_packages:
     name: Build packages
     runs-on: ${{ matrix.os }}
+    container: ${{ matrix.os == 'ubuntu-22.04' && 'quay.io/pypa/manylinux_2_28_x86_64' || null }}
     strategy:
       fail-fast: false
       matrix:
@@ -64,12 +65,25 @@ jobs:
           # Get enough commits to run `ggshield secret scan commit-range` on ourselves
           fetch-depth: 10
 
-      - name: Set up Python 3.10
+      - name: Set up Python 3.10 (Windows 1)
         uses: actions/setup-python@v5
-        if: "!startsWith(matrix.os, 'macos-')"
+        if: matrix.os == 'windows-2022'
         with:
           python-version: '3.10'
 
+      - name: Set up Python 3.10 (Windows 2)
+        uses: actions/setup-python@v5
+        if: matrix.os == 'windows-2022'
+        run: |
+          echo PYTHON_CMD=python >> $GITHUB_ENV
+
+      - name: Set up Python 3.10 (Linux)
+        if: matrix.os == 'ubuntu-22.04'
+        # Make `python` points to python 3.10
+        run: |
+          ln -s $(which python3.10) /usr/local/bin/python
+          echo PYTHON_CMD=/usr/local/bin/python >> $GITHUB_ENV
+
       - name: Install macOS specific dependencies
         if: startsWith(matrix.os, 'macos-')
         run: |
@@ -92,6 +106,7 @@ jobs:
 
           # Make Python available
           echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV
+          echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV
 
           # Install rcodesign
           RCODESIGN_VERSION=0.27.0
@@ -109,10 +124,11 @@ jobs:
       - name: Install dependencies
         shell: bash
         run: |
-          python -m pip install --upgrade pip
-          python -m pip install --upgrade \
+          pipx install \
+            --python "$PYTHON_CMD" \
             pipenv==2023.12.1 \
             pyinstaller==6.7.0
+
           pipenv install --system --dev
         env:
           # Disable lock otherwise Windows-only dependencies like colorama are not installed
@@ -121,15 +137,20 @@ jobs:
       - name: Install Linux specific dependencies
         if: matrix.os == 'ubuntu-22.04'
         run: |
+          # Install NFPM
           NFPM_VERSION=2.36.1
-          NFPM_CHECKSUM=05c17a1e09c470807b149fdd7bcd8f600eea044f459fc3ce81aa230103c0baf5
+          NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b
 
           scripts/download \
-            https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_amd64.deb \
-            nfpm.deb \
+            https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \
+            nfpm.tar.gz \
             $NFPM_CHECKSUM
 
-          sudo dpkg -i nfpm.deb
+          tar xf nfpm.tar.gz nfpm
+          cp nfpm /usr/local/bin
+
+          # Avoid "dubious permission" git error
+          git config --global --add safe.directory '*'
 
       - name: Prepare macOS secrets
         if: startsWith(matrix.os, 'macos-') && inputs.release_mode