diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci
index b507200b..0149cf8e 100644
--- a/.github/docker/Dockerfile.ci
+++ b/.github/docker/Dockerfile.ci
@@ -57,4 +57,5 @@ RUN mv /workspace/node_modules /opt/node_modules_cache \
 # the workflow must set options.user or use gosu/su-exec at runtime).
 RUN useradd -m -s /bin/bash runner \
     && chmod -R a+rX /opt/node_modules_cache \
-    && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack
+    && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack \
+    && mkdir -p /tmp/bun-cache && chmod 1777 /tmp/bun-cache
diff --git a/.github/workflows/evals.yml b/.github/workflows/evals.yml
index f2fea6c7..ce21d8f5 100644
--- a/.github/workflows/evals.yml
+++ b/.github/workflows/evals.yml
@@ -98,6 +98,20 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Ensure temp directories are writable (GH Actions container user may not own /tmp)
+      - name: Fix temp dirs
+        run: |
+          mkdir -p /tmp/bun-cache /tmp/playwright-tmp
+          chmod 1777 /tmp/bun-cache /tmp/playwright-tmp 2>/dev/null || true
+          # If /tmp isn't writable, use home dir
+          if ! touch /tmp/.write-test 2>/dev/null; then
+            export TMPDIR="$HOME/tmp"
+            mkdir -p "$TMPDIR"
+            echo "TMPDIR=$TMPDIR" >> "$GITHUB_ENV"
+          else
+            rm -f /tmp/.write-test
+          fi
+
       # Restore pre-installed node_modules from Docker image via symlink (~0s vs ~15s install)
       # If package.json changed since image was built, fall back to fresh install
       - name: Restore deps