diff --git a/.github/workflows/qnx-build.yml b/.github/workflows/qnx-build.yml
index da43758..bb584c1 100644
--- a/.github/workflows/qnx-build.yml
+++ b/.github/workflows/qnx-build.yml
@@ -17,54 +17,58 @@ on:
   workflow_call:
     inputs:
       bazel-target:
-        description: "Bazel target to build with the QNX toolchain"
+        description: Bazel target to build with the QNX toolchain
         required: false
-        default: "//..."
+        default: //...
         type: string
       bazel-config:
-        description: "Bazel configuration to use for QNX builds"
+        description: Bazel configuration to use for QNX builds
         required: false
-        default: "x86_64-qnx"
+        default: x86_64-qnx
         type: string
       credential-helper:
-        description: "Relative or absolute path to the QNX credential helper script"
+        description: Relative or absolute path to the QNX credential helper script
         required: false
-        default: ".github/tools/qnx_credential_helper.py"
+        default: .github/tools/qnx_credential_helper.py
         type: string
       environment-name:
-        description: "Environment gating access to QNX secrets"
+        description: Environment gating access to QNX secrets
         required: false
-        default: "workflow-approval"
+        default: workflow-approval
         type: string
       bazel-disk-cache:
-        description: "Enable Bazel disk cache on GitHub. The value can be a string to use as cache key for separating workflows"
+        description: Enable Bazel disk cache on GitHub. The value can be a string to use as cache key for separating workflows
         required: false
-        default: "true"
+        default: 'true'
         type: string
       extra-bazel-flags:
-        description: "Additional Bazel flags to pass to the build command (whitespace separated)"
+        description: Additional Bazel flags to pass to the build command (whitespace separated)
         required: false
-        default: ""
+        default: ''
         type: string
       bazel-test-target:
-        description: "Bazel test targets to run with the QNX toolchain (leave empty to skip tests)"
+        description: Bazel test targets to run with the QNX toolchain (leave empty to skip tests)
         required: false
-        default: ""
+        default: ''
         type: string
       extra-bazel-test-flags:
-        description: "Additional Bazel flags to pass to the test command (whitespace separated)"
+        description: Additional Bazel flags to pass to the test command (whitespace separated)
+        required: false
+        default: ''
+        type: string
+      score-qnx-license-server:
+        description: Address of the QNX license server (e.g. '6287@license-server-hostname'). Configures user.bazelrc with related action env vars.
         required: false
-        default: ""
         type: string
     secrets:
       score-qnx-license:
-        description: "Base64-encoded QNX license content"
+        description: Base64-encoded QNX license content
         required: true
       score-qnx-user:
-        description: "QNX account username"
+        description: QNX account username
         required: true
       score-qnx-password:
-        description: "QNX account password"
+        description: QNX account password
         required: true
 
 jobs:
@@ -84,8 +88,9 @@ jobs:
 
   qnx-build:
     name: Build QNX target
-    # always run this job, because the approval is sometimes skipped by intention
-    if: always()
+    # run this job always unless the workflow was canceled; approval may still be skipped by intention
+    # Do not use always(), see https://docs.github.com/en/actions/reference/workflows-and-actions/expressions#always
+    if: ${{ !cancelled() }}
     needs: approval
     runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }}
     permissions:
@@ -94,64 +99,36 @@ jobs:
 
     steps:
       - name: Checkout repository (Handle all events)
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           ref: ${{ github.head_ref || github.event.pull_request.head.ref || github.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
 
       - name: Setup Bazel with shared caching
-        uses: bazel-contrib/setup-bazel@0.18.0
+        uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 #v0.19.0
         with:
           disk-cache: ${{ inputs.bazel-disk-cache }}
           repository-cache: true
           bazelisk-cache: true
           cache-save: ${{ github.event_name == 'push' }}
 
-      - name: Prepare QNX license
-        env:
-          SCORE_QNX_LICENSE: ${{ secrets.score-qnx-license }}
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${SCORE_QNX_LICENSE}" ]]; then
-            echo "::error::score-qnx-license secret is not set."
-            exit 1
-          fi
-
-          LICENSE_DIR="/opt/score_qnx/license"
-          sudo mkdir -p "${LICENSE_DIR}"
-          echo "${SCORE_QNX_LICENSE}" | base64 --decode | sudo tee "${LICENSE_DIR}/licenses" >/dev/null
-
-      - name: Prepare credential helper
-        run: |
-          set -euo pipefail
-
-          CRED_HELPER="${{ inputs.credential-helper }}"
-          if [[ "${CRED_HELPER}" != /* ]]; then
-            CRED_HELPER="${GITHUB_WORKSPACE}/${CRED_HELPER}"
-          fi
-
-          if [[ ! -f "${CRED_HELPER}" ]]; then
-            echo "::error::Credential helper not found at ${CRED_HELPER}" >&2
-            exit 1
-          fi
-
-          if [[ ! -x "${CRED_HELPER}" ]]; then
-            chmod +x "${CRED_HELPER}"
-          fi
-
-          echo "CRED_HELPER=${CRED_HELPER}" >> "${GITHUB_ENV}"
+      - name: Setup QNX SDP usage
+        uses: mtombosch/cicd-actions/setup-qnx-sdp@cc100f511b6144ab04ddc3c09750094f8cc7e561
+        #uses: eclipse-score/cicd-actions/.github/actions/setup-qnx-sdp@ceeecb09fef61202ea2bf5d93fa6160668525bec
+        with:
+          qnx-license: ${{ secrets.score-qnx-license }}
+          qnx-license-server: ${{ inputs.score-qnx-license-server }}
+          qnx-user: ${{ secrets.score-qnx-user }}
+          qnx-password: ${{ secrets.score-qnx-password }}
+          qnx-credential-helper: ${{ inputs.credential-helper }}
+          qnx-license-dir: /opt/score_qnx/license
 
       - name: Build with QNX toolchain
-        env:
-          SCORE_QNX_USER: ${{ secrets.score-qnx-user }}
-          SCORE_QNX_PASSWORD: ${{ secrets.score-qnx-password }}
         run: |
           set -euo pipefail
 
-          echo "Using credential helper at ${CRED_HELPER}"
           bazel build --config ${{ inputs.bazel-config }} \
-            --credential_helper=*.qnx.com="${CRED_HELPER}" ${{ inputs.extra-bazel-flags }} -- \
+            --credential_helper=*.qnx.com="${QNX_CREDENTIAL_HELPER}" ${{ inputs.extra-bazel-flags }} -- \
             ${{ inputs.bazel-target }}
 
       - name: Install qemu
@@ -169,17 +146,13 @@ jobs:
 
       - name: Test with QNX toolchain
         if: inputs.bazel-test-target != ''
-        env:
-          SCORE_QNX_USER: ${{ secrets.score-qnx-user }}
-          SCORE_QNX_PASSWORD: ${{ secrets.score-qnx-password }}
         run: |
           set -euo pipefail
 
-          echo "Using credential helper at ${CRED_HELPER}"
           bazel test --config ${{ inputs.bazel-config }} \
-            --credential_helper=*.qnx.com="${CRED_HELPER}" ${{ inputs.extra-bazel-test-flags }} -- \
+            --credential_helper=*.qnx.com="${QNX_CREDENTIAL_HELPER}" ${{ inputs.extra-bazel-test-flags }} -- \
             ${{ inputs.bazel-test-target }}
 
       - name: Cleanup QNX license
         if: always()
-        run: sudo rm -rf /opt/score_qnx
+        run: rm -rf /opt/score_qnx/license || sudo rm -rf /opt/score_qnx/license