diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 364ef2e2fc..8799cebf3a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
           PKG_DIR=../proxy make -C securedrop-builder requirements
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           git diff --ignore-matching-lines=# --exit-code
-          
+
 
   build-debs:
     strategy:
@@ -122,7 +122,16 @@ jobs:
 
   piuparts:
     strategy:
+      fast-fail: false
       matrix:
+        # TODO: client sets up apparmor, which doesn't work in our CI setup
+        # TODO: get workstation-viewer to pass piuparts (pulls in grsec and qubes packages)
+        package:
+          - export
+          - keyring
+          - log
+          - proxy
+          - workstation-config
         debian_version:
           - bullseye
           - bookworm
@@ -144,4 +153,5 @@ jobs:
             -v "/$(pwd)/build-${{ matrix.debian_version }}:/build" \
             -v "/$(pwd)/.github/workflows/piuparts:/piuparts" \
             -e DISTRO=${{ matrix.debian_version }} \
+            -e PACKAGE=${{ matrix.package }} \
             debian:${{ matrix.debian_version }} bash /piuparts/run-piuparts.sh
diff --git a/.github/workflows/piuparts/run-piuparts.sh b/.github/workflows/piuparts/run-piuparts.sh
index c045bb671c..dcbe7c3110 100644
--- a/.github/workflows/piuparts/run-piuparts.sh
+++ b/.github/workflows/piuparts/run-piuparts.sh
@@ -8,13 +8,8 @@ cd /piuparts
 cp /keyring/securedrop-keyring.gpg .
 docker build . --build-arg DISTRO=$DISTRO -t ourimage
 
-# TODO: client sets up apparmor, which doesn't work in our CI setup
-# TODO: get workstation-viewer to pass piuparts (pulls in grsec and qubes packages)
-for pkg in export keyring log proxy workstation-config;
-do
-    piuparts --docker-image ourimage \
-        --distribution $DISTRO \
-        --extra-repo 'deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main' \
-        --warn-on-leftovers-after-purge \
-        /build/securedrop-${pkg}*.deb
-done
+piuparts --docker-image ourimage \
+    --distribution $DISTRO \
+    --extra-repo 'deb [signed-by=/usr/share/keyrings/securedrop-keyring.gpg] https://apt.freedom.press bullseye main' \
+    --warn-on-leftovers-after-purge \
+    /build/securedrop-${PACKAGE}*.deb