diff --git a/.github/actions/install-lxd/action.yaml b/.github/actions/install-lxd/action.yaml
index 3e90cd23b..a24800774 100644
--- a/.github/actions/install-lxd/action.yaml
+++ b/.github/actions/install-lxd/action.yaml
@@ -12,13 +12,21 @@ runs:
     - name: Install lxd snap
       shell: bash
       run: |
-        sudo snap refresh lxd --channel ${{ inputs.channel }}
+        if ! snap list lxd &> /dev/null; then
+          echo "Installing lxd snap"
+          sudo snap install lxd --channel ${{ inputs.channel }}
+        else
+          echo "lxd snap found, refreshing to specified channel"
+          sudo snap refresh lxd --channel ${{ inputs.channel }}
+        fi
     - name: Initialize lxd
       shell: bash
       run: |
         sudo lxd init --auto
         sudo usermod --append --groups lxd $USER
-        sg lxd -c 'lxc version'
+        # `newgrp` does not work in GitHub Actions; use `sudo --user` instead
+        # See https://github.com/actions/runner-images/issues/9932#issuecomment-2573170305
+        sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- lxc version
     # Docker sets iptables rules that interfere with LXD.
     # https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
     - name: Apply Docker iptables workaround
diff --git a/.github/workflows/build-snap.yaml b/.github/workflows/build-snap.yaml
index fbc39d01c..0bf8c0934 100644
--- a/.github/workflows/build-snap.yaml
+++ b/.github/workflows/build-snap.yaml
@@ -43,7 +43,7 @@ jobs:
             out_snap=k8s.snap
           fi
 
-          sg lxd -c 'snapcraft --use-lxd'
+          sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- snapcraft --use-lxd
           mv k8s_*.snap $out_snap
 
           echo "snap-artifact=$out_snap" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
index 4e2aa086a..c86d1ae86 100644
--- a/.github/workflows/e2e-tests.yaml
+++ b/.github/workflows/e2e-tests.yaml
@@ -70,7 +70,7 @@ jobs:
           TEST_STRICT_INTERFACE_CHANNELS: "recent 6 strict"
           TEST_MIRROR_LIST: '[{"name": "ghcr.io", "port": 5000, "remote": "https://ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}, {"name": "docker.io", "port": 5001, "remote": "https://registry-1.docker.io", "username": "", "password": ""}, {"name": "rocks.canonical.com", "port": 5002, "remote": "https://rocks.canonical.com/cdk"}]'
         run: |
-          cd tests/integration && sg lxd -c "tox -e integration -- --tags ${{ inputs.test-tags }}"
+          cd tests/integration && sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- tox -e integration -- --tags ${{ inputs.test-tags }}
       - name: Prepare inspection reports
         if: failure()
         run: |