diff --git a/.github/actions/set-up-legacy-python/action.yml b/.github/actions/set-up-legacy-python/action.yml
index 791c7db..33fd70e 100644
--- a/.github/actions/set-up-legacy-python/action.yml
+++ b/.github/actions/set-up-legacy-python/action.yml
@@ -20,8 +20,22 @@ runs:
       with:
         default: "${{ inputs.python-version }}"
         command: pip install -U pip
+
+    - name: Restore PATH on cache hit
+      if: steps.pyenv-cache.outputs.cache-hit == 'true'
+      shell: bash
+      run: |
+        PYENV_ROOT="/opt/hostedtoolcache/pyenv_root/2.4.20/x64"
+        PYTHON_BIN="$PYENV_ROOT/versions/${{ inputs.python-version }}/bin"
+        echo "$PYTHON_BIN" >> $GITHUB_PATH
+
+    - name: Verify Python version
+      shell: bash
+      run: |
+        echo "Active Python: $(python --version)"
+        python --version 2>&1 | grep -q "^Python ${{ inputs.python-version }}" || (echo "ERROR: Expected Python ${{ inputs.python-version }}" && exit 1)
     - name: Install dependencies
       run: |
         python -m pip install flake8 pytest setuptools wheel
-        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+        if [ -f requirements.txt ]; then python -m pip install -r requirements.txt; fi
       shell: bash
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a00243e..6a2323d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -26,35 +26,34 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Verify Python version
+        run: |
+          echo "Active Python: $(python --version)"
+          python --version | grep -q "^Python ${{ matrix.python-version }}" || (echo "ERROR: Expected Python ${{ matrix.python-version }}" && exit 1)
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           python -m pip install flake8 pyright pyflakes pytest setuptools wheel
-          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+          if [ -f requirements.txt ]; then python -m pip install -r requirements.txt; fi
       - name: Lint with flake8
-        run: |
-          flake8 . --ignore=E203,W503,E722,E731 --max-complexity=100 --max-line-length=160
+        run: python -m flake8 . --exclude=.venv --ignore=E203,W503,E722,E731 --max-complexity=100 --max-line-length=160
       - name: Lint with pyright (type checking)
-        run: |
-          pyright cf_remote
+        run: python -m pyright cf_remote
       - name: Lint with pyflakes
-        run: |
-          pyflakes cf_remote
+        run: python -m pyflakes cf_remote
       - name: Test with pytest
-        run: |
-          pytest
+        run: python -m pytest
       - name: Install
         run: |
           python setup.py sdist bdist_wheel
-          pip install dist/cf_remote-*.whl
+          python -m pip install dist/cf_remote-*.whl
       - name: Sanity check
         run: cf-remote -V
       - name: Run docker test
-        run: |
-          bash tests/docker/0*.sh
+        run: bash tests/docker/0*.sh
       - name: Run unsafe tests
-        run: |
-          bash tests/unsafe/0*.sh
+        run: bash tests/unsafe/0*.sh
+
   test-legacy:
     runs-on: ubuntu-24.04
     permissions:
@@ -77,21 +76,18 @@ jobs:
       - name: Lint with flake8
         run: |
           # stop the build if there are Python syntax errors or undefined names
-          flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+          python -m flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
           # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-          flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+          python -m flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
       - name: Test with pytest
-        run: |
-          pytest
+        run: python -m pytest
       - name: Install
         run: |
           python setup.py sdist bdist_wheel
-          pip install dist/cf_remote-*.whl
+          python -m pip install dist/cf_remote-*.whl
       - name: Sanity check
         run: cf-remote -V
       - name: Run docker test
-        run: |
-          bash tests/docker/0*.sh
+        run: bash tests/docker/0*.sh
       - name: Run unsafe tests
-        run: |
-          bash tests/unsafe/0*.sh
+        run: bash tests/unsafe/0*.sh
diff --git a/cf_remote/demo.py b/cf_remote/demo.py
index 5a7fc70..cdefeb8 100644
--- a/cf_remote/demo.py
+++ b/cf_remote/demo.py
@@ -1,7 +1,7 @@
 import os
 import json
 import hashlib
-import secrets
+from random import SystemRandom
 import shutil
 import string
 import tempfile
@@ -34,8 +34,8 @@ def generate_password():
     salt + password concatenated with no separator. The password is meant
     to be shown to the user; only the salt and sha are sent to the host.
     """
-    password = "".join(secrets.choice(string.ascii_letters) for _ in range(14))
-    salt = "".join(secrets.choice(string.ascii_letters) for _ in range(10))
+    password = "".join(SystemRandom().choice(string.ascii_letters) for _ in range(14))
+    salt = "".join(SystemRandom().choice(string.ascii_letters) for _ in range(10))
     sha = hashlib.sha256((salt + password).encode("utf-8")).hexdigest()
     return password, salt, sha