diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 64bb375dcb..d0f18c0ff1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,9 +2,9 @@ name: "CI"
 
 on:
   push:
-    branches: [ "master", "restaumatic", "restaumatic-0.15.10" ]
+    branches: ["master", "restaumatic", "restaumatic-0.15.10"]
   pull_request:
-    branches: [ "master" ]
+    branches: ["master", "restaumatic"]
     paths:
       - .github/workflows/**/*.yml
       - app/**/*
@@ -23,7 +23,7 @@ on:
       - update-changelog.hs
       - weeder.dhall
   release:
-    types: [ "published" ]
+    types: ["published"]
 
 defaults:
   run:
@@ -58,8 +58,6 @@ jobs:
             image: haskell:9.2.5@sha256:2597b0e2458165a6635906204f7fac43c22e7d2a46aca1235a811194bb6cd419
           - os: ["macOS-11"]
           - os: ["windows-2019"]
-          - os: ["self-hosted", "macos", "ARM64"]
-          - os: ["self-hosted", "Linux", "ARM64"]
 
     runs-on: "${{ matrix.os }}"
     container: "${{ matrix.image }}"
@@ -82,7 +80,6 @@ jobs:
         with:
           node-version: "16"
 
-
       - id: "haskell"
         name: "(Non-Linux only) Install Haskell"
         # Note: here we exclude the self-hosted runners because this action does not work on ARM
@@ -198,11 +195,15 @@ jobs:
 
       - name: "(Release only) Publish bundle"
         if: "${{ env.CI_RELEASE == 'true' }}"
-        # This requires the gh command line tool to be installed on our
-        # self-hosted runners
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: "gh release upload --clobber ${{ github.ref_name }} sdist-test/bundle/*.{tar.gz,sha}"
+        # Astonishingly, GitHub doesn't currently maintain a first-party action
+        # for uploading assets to GitHub releases! This is the best third-party
+        # one I could find, but as this step handles a token, it seems
+        # particularly important that we lock it down to a specific audited
+        # version, instead of a tag like the other steps.
+        uses: "AButler/upload-release-assets@ec6d3263266dc57eb6645b5f75e827987f7c217d"
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          files: "sdist-test/bundle/*.{tar.gz,sha}"
 
   lint:
     runs-on: "ubuntu-latest"
@@ -223,7 +224,6 @@ jobs:
           echo deb http://deb.debian.org/debian "$VERSION_CODENAME"-backports main >> /etc/apt/sources.list
           apt-get update && apt-get install -y git/"$VERSION_CODENAME"-backports
       - uses: "actions/checkout@v2"
-
       - name: "Fix working directory ownership"
         run: |
           chown root:root .
@@ -269,32 +269,32 @@ jobs:
 
       - run: "ci/fix-home stack exec weeder"
 
-  make-prerelease:
-    runs-on: "ubuntu-latest"
-    needs:
-      - "build"
-      - "lint"
-    if: "${{ github.event_name == 'push' && needs.build.outputs.do-not-prerelease != 'true' }}"
-    steps:
-      - uses: "actions/download-artifact@v3"
-      - uses: "ncipollo/release-action@v1.10.0"
-        with:
-          tag: "v${{ needs.build.outputs.version }}"
-          artifacts: "*-bundle/*"
-          prerelease: true
-          body: "This is an automated preview release. Get the latest stable release [here](https://github.com/purescript/purescript/releases/latest)."
-      - uses: "actions/checkout@v3"
-      - uses: "actions/setup-node@v3"
-        with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
-      - name: "Publish npm package"
-        working-directory: "npm-package"
-        env:
-          BUILD_VERSION: "${{ needs.build.outputs.version }}"
-          NODE_AUTH_TOKEN: "${{ secrets.NPM_TOKEN }}"
-        run: |
-          src_version=$(node -pe 'require("./package.json").version')
-          npm version --allow-same-version "$BUILD_VERSION"
-          sed -i -e "s/--purs-ver=${src_version//./\\.}/--purs-ver=$BUILD_VERSION/" package.json
-          npm publish --tag next
+;13u  # make-prerelease:
+  #   runs-on: "ubuntu-latest"
+  #   needs:
+  #     - "build"
+  #     - "lint"
+  #   if: "${{ github.event_name == 'push' && needs.build.outputs.do-not-prerelease != 'true' }}"
+  #   steps:
+  #     - uses: "actions/download-artifact@v3"
+  #     - uses: "ncipollo/release-action@v1.10.0"
+  #       with:
+  #         tag: "v${{ needs.build.outputs.version }}"
+  #         artifacts: "*-bundle/*"
+  #         prerelease: true
+  #         body: "This is an automated preview release. Get the latest stable release [here](https://github.com/purescript/purescript/releases/latest)."
+  #     - uses: "actions/checkout@v3"
+  #     - uses: "actions/setup-node@v3"
+  #       with:
+  #         node-version: "16.x"
+  #         registry-url: "https://registry.npmjs.org"
+  #     - name: "Publish npm package"
+  #       working-directory: "npm-package"
+  #       env:
+  #         BUILD_VERSION: "${{ needs.build.outputs.version }}"
+  #         NODE_AUTH_TOKEN: "${{ secrets.NPM_TOKEN }}"
+  #       run: |
+  #         src_version=$(node -pe 'require("./package.json").version')
+  #         npm version --allow-same-version "$BUILD_VERSION"
+  #         sed -i -e "s/--purs-ver=${src_version//./\\.}/--purs-ver=$BUILD_VERSION/" package.json
+  #         npm publish --tag next