diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e027c55..aa9e2b7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,7 +28,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [windows-latest]
         # Do not forget to bump every 6 months!
         gover: ["1.21"]
     env:
@@ -43,31 +43,6 @@ jobs:
     - uses: actions/setup-go@v4
       with:
         go-version: "~${{matrix.gover}}.0"
-    - name: 'go install necessary tools'
-      if: always()
-      run: |
-        go install github.com/maruel/pat/cmd/ba@latest
-    - name: 'Check: go test -cover'
-      if: always()
-      run: go test -timeout=5m -covermode=count -coverprofile coverage.txt -bench=. -benchtime=1x ./...
-      # Don't send code coverage if anything failed to reduce spam.
-    - uses: codecov/codecov-action@v3
-    - name: 'Cleanup'
-      if: always()
-      run: rm coverage.txt
-    - name: 'Check: go test -race'
-      run: go test -timeout=5m -race -bench=. -benchtime=1x ./...
-    - name: 'Check: benchmark 📈'
-      run: ba -against HEAD~1
-    - name: 'Check: go test -short (CGO_ENABLED=0)'
-      env:
-        CGO_ENABLED: 0
-      run: go test -timeout=5m -short -bench=. -benchtime=1x ./...
-    - name: 'Check: go test -short (32 bits)'
-      if: matrix.os != 'macos-latest'
-      env:
-        GOARCH: 386
-      run: go test -timeout=5m -short -bench=. -benchtime=1x ./...
     - name: 'Install shac'
       if: always()
       run: go install .
@@ -88,149 +63,3 @@ jobs:
           git diff
           false
         fi
-
-
-    # Run linters. This workflow can be merged with the test_all one if desired
-    # to cut on runtime, at the cost of latency. I dislike waiting for results
-    # so I prefer to run them in parallel.
-  lint:
-    name: "lint: go${{matrix.gover}}.x/${{matrix.os}}"
-    runs-on: "${{matrix.os}}"
-    continue-on-error: true
-    defaults:
-      run:
-        shell: bash
-    strategy:
-      fail-fast: false
-      matrix:
-        # You may want to run only on linux to save on cost. Projects with
-        # OS-specific code benefits from explicitly linting on macOS and
-        # Windows.
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        # Do not forget to bump every 6 months!
-        gover: ["1.21"]
-    env:
-      PYTHONDONTWRITEBYTECODE: x
-    steps:
-    - name: Turn off git core.autocrlf
-      if: matrix.os == 'windows-latest'
-      run: git config --global core.autocrlf false
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v4
-      with:
-        go-version: "~${{matrix.gover}}.0"
-    - name: "Debug"
-      run: |
-        echo HOME = $HOME
-        echo GITHUB_WORKSPACE = $GITHUB_WORKSPACE
-        echo PATH = $PATH
-        echo ""
-        echo $ ls -l $HOME/go/bin
-        ls -la $HOME/go/bin
-    - name: Install protoc
-      # See https://github.com/arduino/setup-protoc/issues/33
-      if: ${{ false }}
-      uses: arduino/setup-protoc@v1
-      with:
-        version: '21.12'
-    - name: 'go install necessary tools (ubuntu)'
-      if: always() && matrix.os == 'ubuntu-latest'
-      run: |
-        go install github.com/client9/misspell/cmd/misspell@latest
-        go install github.com/google/addlicense@latest
-    - name: 'Check: go vet'
-      if: always()
-      run: go vet -unsafeptr=false ./...
-      # run them on ubuntu-latest since it's the fastest one.
-    - name: 'Check: no executable was committed (ubuntu)'
-      if: always() && matrix.os == 'ubuntu-latest'
-      run: |
-        if find . -path '*.sh' -prune -o \
-            -path ./.git -prune -o \
-            -path './internal/sandbox/nsjail-linux-*' -prune -o \
-            -type f -executable -print | grep -e . ; then
-          echo 'Do not commit executables beside shell scripts'
-          false
-        fi
-    - name: 'Check: addlicense; all sources have a license header (ubuntu)'
-      if: always() && matrix.os == 'ubuntu-latest'
-      run: addlicense -check -ignore 'vendor/**' .
-    - name: "Check: misspelling; code doesn't contain misspelling (ubuntu)"
-      if: always() && matrix.os == 'ubuntu-latest'
-      run: |
-        ERR=$(find . -type f | grep -v vendor/ | xargs misspell)
-        if ! test -z "$ERR"; then
-          echo "$ERR"
-          echo "## ⚠ misspell Failed" >> ../_comments.txt
-          echo "" >> ../_comments.txt
-          echo "$ERR" >> ../_comments.txt
-          echo "" >> ../_comments.txt
-          false
-        fi
-    - name: 'Send comments'
-      if: failure()
-      run: |
-        if [ -f ../_comments.txt ]; then
-          URL="${{github.event.issue.pull_request.url}}"
-          if test -z "$URL"; then
-            URL="${{github.api_url}}/repos/${{github.repository}}/commits/${{github.sha}}/comments"
-          fi
-          echo "Sending $(cat ../_comments.txt|wc -l) lines of comments to ${URL}"
-          curl -sS --request POST \
-            --header "Authorization: Bearer ${{secrets.GITHUB_TOKEN}}" \
-            --header "Content-Type: application/json" \
-            --data "$(cat ../_comments.txt | jq -R --slurp '{body: .}')" \
-            "${URL}" > /dev/null
-          rm ../_comments.txt
-        fi
-    - name: "Check: go generate doesn't modify files"
-      # See https://github.com/arduino/setup-protoc/issues/33
-      if: ${{ false }}
-      #if: always()
-      run: |
-        go generate ./...
-        # Also test for untracked files. go generate should not generate ignored
-        # files either.
-        TOUCHED=$(git status --porcelain --ignored)
-        if ! test -z "$TOUCHED"; then
-          echo "go generate created these files, please fix:"
-          echo "$TOUCHED"
-          false
-        fi
-    - name: "Check: go mod tidy doesn't modify files"
-      if: always()
-      run: |
-        go mod tidy
-        TOUCHED=$(git status --porcelain --ignored)
-        if ! test -z "$TOUCHED"; then
-          echo "go mod tidy was not clean, please update:"
-          git diff
-          false
-        fi
-
-
-  codeql:
-    name: "codeql: go${{matrix.gover}}.x/${{matrix.os}}"
-    runs-on: "${{matrix.os}}"
-    continue-on-error: true
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest]
-        # Do not forget to bump every 6 months!
-        gover: ["1.21"]
-    permissions:
-      security-events: write
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v4
-      with:
-        go-version: "~${{matrix.gover}}.0"
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: go
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
diff --git a/internal/engine/runtime_ctx_os.go b/internal/engine/runtime_ctx_os.go
index 8189bb6..f9dc515 100644
--- a/internal/engine/runtime_ctx_os.go
+++ b/internal/engine/runtime_ctx_os.go
@@ -284,7 +284,7 @@ func ctxOsExec(ctx context.Context, s *shacState, name string, args starlark.Tup
 		// Stat to make sure the entrypoint executable exists rather than
 		// letting nsjail fail, for consistency with the non-absolute path case.
 		if _, err = os.Stat(fullCmd[0]); err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to stat path %s: %w", fullCmd[0], err)
 		}
 	} else {
 		// nsjail doesn't do $PATH-based resolution of the command it's given.