diff --git a/.github/workflows/reusable-ci.yml b/.github/workflows/reusable-ci.yml
index d4846df..d05d015 100644
--- a/.github/workflows/reusable-ci.yml
+++ b/.github/workflows/reusable-ci.yml
@@ -133,7 +133,7 @@ jobs:
           REGISTRY_TOKEN: ${{ secrets.registry-token || github.token }}
           ANTHROPIC_API_KEY: ${{ secrets.anthropic-api-key }}
         run: |
-          bash .github/scripts/preflight-secrets.sh \
+          bash .openci/.github/scripts/preflight-secrets.sh \
             --required "REGISTRY_TOKEN" \
             --optional "ANTHROPIC_API_KEY"
 
diff --git a/.github/workflows/reusable-pr.yml b/.github/workflows/reusable-pr.yml
index 812b985..60bbbd0 100644
--- a/.github/workflows/reusable-pr.yml
+++ b/.github/workflows/reusable-pr.yml
@@ -97,6 +97,10 @@ jobs:
         uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493  # v4.2.2
         with:
           persist-credentials: false
+      - name: Resolve OpenCI ref and checkout
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@9bd9cf085ba9d3a199b701d42ea054e1625a65ce
+        with:
+          openci-ref: ${{ inputs.openci-ref }}
       - name: Probe secrets
         env:
           ANTHROPIC_API_KEY: ${{ secrets.anthropic-api-key }}
@@ -104,7 +108,7 @@ jobs:
           SONAR_TOKEN:       ${{ secrets.sonar-token }}
           SNYK_TOKEN:        ${{ secrets.snyk-token }}
         run: |
-          bash .github/scripts/preflight-secrets.sh \
+          bash .openci/.github/scripts/preflight-secrets.sh \
             --required "" \
             --optional "ANTHROPIC_API_KEY,CODECOV_TOKEN,SONAR_TOKEN,SNYK_TOKEN"
 
@@ -412,6 +416,10 @@ jobs:
         with:
           persist-credentials: false
           fetch-depth: 0   # required so git ls-tree can resolve the self-ref SHA
+      - name: Resolve OpenCI ref and checkout
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@9bd9cf085ba9d3a199b701d42ea054e1625a65ce
+        with:
+          openci-ref: ${{ inputs.openci-ref }}
       - name: Install yq
         run: |
           if ! command -v yq >/dev/null 2>&1; then
@@ -420,7 +428,7 @@ jobs:
             sudo chmod +x /usr/local/bin/yq
           fi
       - name: Run verify-sha-consistency.sh
-        run: bash .github/scripts/verify-sha-consistency.sh
+        run: bash .openci/.github/scripts/verify-sha-consistency.sh
 
   lint:
     permissions: {}
diff --git a/.github/workflows/reusable-prd.yml b/.github/workflows/reusable-prd.yml
index 6eeda19..6ed1051 100644
--- a/.github/workflows/reusable-prd.yml
+++ b/.github/workflows/reusable-prd.yml
@@ -186,11 +186,11 @@ jobs:
           SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }}
         run: |
           if [ "$DEPLOY_TYPE" = "k8s" ]; then
-            bash .github/scripts/preflight-secrets.sh \
+            bash .openci/.github/scripts/preflight-secrets.sh \
               --required "KUBECONFIG_PRD" \
               --optional "SLACK_WEBHOOK_URL"
           else
-            bash .github/scripts/preflight-secrets.sh \
+            bash .openci/.github/scripts/preflight-secrets.sh \
               --required "SSH_KEY_PRD" \
               --optional "SLACK_WEBHOOK_URL"
           fi
diff --git a/.github/workflows/reusable-stg.yml b/.github/workflows/reusable-stg.yml
index 0c551a9..f9485e4 100644
--- a/.github/workflows/reusable-stg.yml
+++ b/.github/workflows/reusable-stg.yml
@@ -169,11 +169,11 @@ jobs:
           SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }}
         run: |
           if [ "$DEPLOY_TYPE" = "k8s" ]; then
-            bash .github/scripts/preflight-secrets.sh \
+            bash .openci/.github/scripts/preflight-secrets.sh \
               --required "KUBECONFIG_STG" \
               --optional "SLACK_WEBHOOK_URL"
           else
-            bash .github/scripts/preflight-secrets.sh \
+            bash .openci/.github/scripts/preflight-secrets.sh \
               --required "SSH_KEY_STG" \
               --optional "SLACK_WEBHOOK_URL"
           fi