diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 157e0ec..9aa3503 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,13 +19,12 @@ permissions:
   id-token: write
 jobs:
   package:
-    uses: tinyland-inc/ci-templates/.github/workflows/js-bazel-package.yml@0d88ad73c6884f4854624d3a2ec4b6ce41f5bea8
+    uses: tinyland-inc/ci-templates/.github/workflows/js-bazel-package.yml@61cd1338ca9dae8a25985c0a36ff7beb111449be
     with:
-      runner_mode: shared
-      shared_runner_labels_json: ${{ vars.PRIMARY_LINUX_RUNNER_LABELS_JSON }}
+      runner_mode: repo_owned
       runner_labels_json: ${{ vars.PRIMARY_LINUX_RUNNER_LABELS_JSON }}
       workspace_mode: isolated
-      publish_mode: same_runner
+      publish_mode: hosted_exception
       node_versions: '["22"]'
       publish_node_version: "22"
       pnpm_version: "10.13.1"
@@ -36,6 +35,7 @@ jobs:
       bazel_targets: "//:pkg //:test"
       package_dir: ./bazel-bin/pkg
       npm_access: public
+      npm_publish_mode: disabled
       github_package_name: "@tinyland-inc/tinyland-security"
       dry_run: ${{ !(github.event_name == 'workflow_dispatch' && inputs.publish == true) }}
       publish_on_tag: true
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9ee79c4..b21048d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,13 +16,12 @@ permissions:
   packages: write
 jobs:
   package:
-    uses: tinyland-inc/ci-templates/.github/workflows/js-bazel-package.yml@f23f67b00ed39f439aa3a18a21d343460f10a8c0
+    uses: tinyland-inc/ci-templates/.github/workflows/js-bazel-package.yml@61cd1338ca9dae8a25985c0a36ff7beb111449be
     with:
-      runner_mode: shared
-      shared_runner_labels_json: ${{ vars.PRIMARY_LINUX_RUNNER_LABELS_JSON }}
+      runner_mode: repo_owned
       runner_labels_json: ${{ vars.PRIMARY_LINUX_RUNNER_LABELS_JSON }}
       workspace_mode: isolated
-      publish_mode: same_runner
+      publish_mode: hosted_exception
       node_versions: '["22"]'
       publish_node_version: "22"
       pnpm_version: "10.13.1"
@@ -33,6 +32,7 @@ jobs:
       bazel_targets: "//:pkg //:test"
       package_dir: ./bazel-bin/pkg
       npm_access: public
+      npm_publish_mode: disabled
       github_package_name: "@tinyland-inc/tinyland-security"
       dry_run: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run || false }}
     secrets: inherit