diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a3654ce1..0ac36d11 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,6 +16,9 @@ jobs:
       - name: Validate self-hosted runner guards
         run: ./tests/test_ci_self_hosted_guard.sh
 
+      - name: Validate create-dmg version pinning
+        run: ./tests/test_ci_create_dmg_pinned.sh
+
   web-typecheck:
     runs-on: ubuntu-latest
     defaults:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 246da9c4..052e67e3 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -15,6 +15,9 @@ on:
 permissions:
   contents: write
 
+env:
+  CREATE_DMG_VERSION: 8.0.0
+
 jobs:
   decide:
     runs-on: ubuntu-latest
@@ -112,7 +115,7 @@ jobs:
         run: |
           brew update
           brew install zig
-          npm install --global create-dmg
+          npm install --global "create-dmg@${CREATE_DMG_VERSION}"
 
       - name: Build GhosttyKit.xcframework
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 92a60dc8..7adf546a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,9 @@ on:
 permissions:
   contents: write
 
+env:
+  CREATE_DMG_VERSION: 8.0.0
+
 jobs:
   build-sign-notarize:
     runs-on: self-hosted
@@ -101,7 +104,7 @@ jobs:
         run: |
           brew update
           brew install zig
-          npm install --global create-dmg
+          npm install --global "create-dmg@${CREATE_DMG_VERSION}"
 
       - name: Download Metal Toolchain
         if: steps.guard_release_assets.outputs.skip_all != 'true'
diff --git a/tests/test_ci_create_dmg_pinned.sh b/tests/test_ci_create_dmg_pinned.sh
new file mode 100755
index 00000000..1199f699
--- /dev/null
+++ b/tests/test_ci_create_dmg_pinned.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Regression test for https://github.com/manaflow-ai/cmux/issues/387.
+# Ensures release workflows pin create-dmg to an explicit version.
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+
+WORKFLOWS=(
+  "$ROOT_DIR/.github/workflows/release.yml"
+  "$ROOT_DIR/.github/workflows/nightly.yml"
+)
+
+for workflow in "${WORKFLOWS[@]}"; do
+  if ! grep -Eq 'npm install --global .*create-dmg@' "$workflow"; then
+    echo "FAIL: $workflow must install create-dmg with an explicit version"
+    exit 1
+  fi
+
+  if grep -Eq 'npm install --global[[:space:]]+create-dmg([[:space:]]|$)' "$workflow"; then
+    echo "FAIL: $workflow still has unpinned create-dmg install"
+    exit 1
+  fi
+done
+
+echo "PASS: create-dmg install is pinned in release workflows"