diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4777259e8e..dfe8dd437e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -41,7 +41,7 @@ jobs:
         
       - name: Install dependencies (C)
         if: ${{ matrix.language == 'cpp' }}
-        run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl
+        run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl libpcre3-dev
 
       - name: Build (C)
         if: ${{ matrix.language == 'cpp' }}
diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml
index 1554ba5bb7..5609b28edd 100644
--- a/.github/workflows/job-static-check.yml
+++ b/.github/workflows/job-static-check.yml
@@ -46,7 +46,7 @@ jobs:
     - name: Prepare Environment
       run: |
         sudo apt-get update && \
-        sudo apt-get install -y dpkg-dev debhelper g++ libncurses5 pkg-config \
+        sudo apt-get install -y dpkg-dev debhelper g++ libncurses6 pkg-config \
           build-essential libpam0g-dev fakeroot gcc make autoconf buildah \
           liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \
           libssl-dev libpcre3-dev
diff --git a/.github/workflows/windows_acceptance_tests.yml b/.github/workflows/windows_acceptance_tests.yml
index f387042f27..b6bb6c74ca 100644
--- a/.github/workflows/windows_acceptance_tests.yml
+++ b/.github/workflows/windows_acceptance_tests.yml
@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: install cf-remote
-        run: pip install cf-remote
+        run: pip install cf-remote --break-system-packages
 
       # Note that msiexec can't install packages when running under msys;
       # But cf-remote currently can't run under powershell
diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c
index 79ec481e33..84115f997f 100644
--- a/cf-agent/verify_files_utils.c
+++ b/cf-agent/verify_files_utils.c
@@ -1552,7 +1552,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con
         }
 
         if (!CopyRegularFileNet(source, ToChangesPath(new),
-                                sstat->st_size, attr->copy.encrypt, conn))
+                                sstat->st_size, attr->copy.encrypt, conn, sstat->st_mode))
         {
             RecordFailure(ctx, pp, attr, "Failed to copy file '%s' from '%s'",
                           source, conn->remoteip);
@@ -1712,7 +1712,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con
                 }
             }
 
-            if (rename(dest, changes_backup) == 0)
+            if (CopyRegularFileDisk(dest, changes_backup))
             {
                 RecordChange(ctx, pp, attr, "Backed up '%s' as '%s'", dest, backup);
                 *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c
index d168d37b31..032eebcf83 100644
--- a/libcfnet/client_code.c
+++ b/libcfnet/client_code.c
@@ -751,7 +751,7 @@ static void FlushFileStream(int sd, int toget)
 /* TODO finalise socket or TLS session in all cases that this function fails
  * and the transaction protocol is out of sync. */
 bool CopyRegularFileNet(const char *source, const char *dest, off_t size,
-                        bool encrypt, AgentConnection *conn)
+                        bool encrypt, AgentConnection *conn, mode_t mode)
 {
     char *buf, workbuf[CF_BUFSIZE], cfchangedstr[265];
     const int buf_size = 2048;
@@ -775,7 +775,7 @@ bool CopyRegularFileNet(const char *source, const char *dest, off_t size,
 
     unlink(dest);                /* To avoid link attacks */
 
-    int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, CF_PERMS_DEFAULT);
+    int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, mode);
     if (dd == -1)
     {
         Log(LOG_LEVEL_ERR,
diff --git a/libcfnet/client_code.h b/libcfnet/client_code.h
index f0d560088f..ba32d4acdb 100644
--- a/libcfnet/client_code.h
+++ b/libcfnet/client_code.h
@@ -48,7 +48,7 @@ void DisconnectServer(AgentConnection *conn);
 
 bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentConnection *conn);
 bool CopyRegularFileNet(const char *source, const char *dest, off_t size,
-                        bool encrypt, AgentConnection *conn);
+                        bool encrypt, AgentConnection *conn, mode_t mode);
 Item *RemoteDirList(const char *dirname, bool encrypt, AgentConnection *conn);
 
 int TLSConnectCallCollect(ConnectionInfo *conn_info, const char *username);
diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh
index bcd059a3eb..4583968ff0 100755
--- a/tests/static-check/run_checks.sh
+++ b/tests/static-check/run_checks.sh
@@ -21,6 +21,8 @@ function check_with_clang() {
 
 function check_with_cppcheck() {
   rm -f config.cache
+  make clean
+  make -C libpromises/ bootstrap.inc # needed by libpromises/bootstrap.c
   ./configure -C --enable-debug
 
   # cppcheck options: