diff --git a/.github/workflows/aimock-drift.yml b/.github/workflows/aimock-drift.yml
index 55b25fc05..adee182bb 100644
--- a/.github/workflows/aimock-drift.yml
+++ b/.github/workflows/aimock-drift.yml
@@ -15,6 +15,9 @@ permissions:
   contents: read
   issues: write
 
+env:
+  DO_NOT_TRACK: '1'
+
 jobs:
   drift:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 04cb5e57a..8dcc817b8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,9 @@ concurrency:
 permissions:
   contents: read
 
+env:
+  DO_NOT_TRACK: '1'
+
 jobs:
   ci-scope:
     name: CI scope
diff --git a/.github/workflows/deploy-langgraph.yml b/.github/workflows/deploy-langgraph.yml
index 8d3937bdc..1b0d8d949 100644
--- a/.github/workflows/deploy-langgraph.yml
+++ b/.github/workflows/deploy-langgraph.yml
@@ -24,6 +24,9 @@ concurrency:
 permissions:
   contents: read
 
+env:
+  DO_NOT_TRACK: '1'
+
 jobs:
   deploy:
     name: Deploy shared cockpit-dev to LangGraph Cloud
diff --git a/.github/workflows/posthog-quality.yml b/.github/workflows/posthog-quality.yml
index 836d7319b..3effa5c78 100644
--- a/.github/workflows/posthog-quality.yml
+++ b/.github/workflows/posthog-quality.yml
@@ -21,6 +21,9 @@ concurrency:
 permissions:
   contents: read
 
+env:
+  DO_NOT_TRACK: '1'
+
 jobs:
   live-quality:
     name: Live telemetry contract and coverage
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index acdbd0511..ad9956ca5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+env:
+  DO_NOT_TRACK: '1'
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/scripts/ci-workflow.spec.mjs b/scripts/ci-workflow.spec.mjs
index c7dee5094..679194d3f 100644
--- a/scripts/ci-workflow.spec.mjs
+++ b/scripts/ci-workflow.spec.mjs
@@ -1,4 +1,4 @@
-import { readFile } from 'node:fs/promises';
+import { readdir, readFile } from 'node:fs/promises';
 import { describe, it } from 'node:test';
 import assert from 'node:assert/strict';
 
@@ -32,6 +32,18 @@ describe('CI workflow', () => {
     return readFile('.github/workflows/posthog-quality.yml', 'utf8');
   }
 
+  async function readWorkflowFiles() {
+    const names = await readdir('.github/workflows');
+    return Promise.all(
+      names
+        .filter((name) => name.endsWith('.yml'))
+        .map(async (name) => ({
+          name,
+          text: await readFile(`.github/workflows/${name}`, 'utf8'),
+        }))
+    );
+  }
+
   it('treats nested library files as deploy-relevant changes', async () => {
     const deployJob = await readDeployJob();
 
@@ -90,4 +102,20 @@ describe('CI workflow', () => {
       /POSTHOG_PERSONAL_API_KEY:\s*\$\{\{\s*secrets\.POSTHOG_PERSONAL_API_KEY_READONLY\s*\}\}/
     );
   });
+
+  it('explicitly disables install telemetry in workflows that install npm dependencies', async () => {
+    const workflowsWithNpmInstall = (await readWorkflowFiles()).filter(
+      ({ text }) => /\brun:\s*npm (?:ci|install)\b/.test(text)
+    );
+
+    assert.notEqual(workflowsWithNpmInstall.length, 0);
+
+    for (const { name, text } of workflowsWithNpmInstall) {
+      assert.match(
+        text,
+        /\nenv:\n(?:  [A-Z0-9_]+: .+\n)*  DO_NOT_TRACK: ['"]1['"]/,
+        `${name} should set top-level DO_NOT_TRACK=1`
+      );
+    }
+  });
 });