diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index dc2d22e..73221a9 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -13,43 +13,47 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      # Install required system dependencies
-      # Includes Ansible, Docker (for molecule and compose), and Python tooling
-      - name: Install dependencies
+      # Install system dependencies required for CI
+      - name: Install system dependencies
         run: |
           apt-get update
-          apt-get install -y python3 python3-pip ansible docker.io
-          pip3 install ansible-lint molecule molecule-plugins[docker]
+          apt-get install -y python3 python3-venv ansible docker.io
 
-      # Basic Python syntax validation to catch immediate errors
-      # This avoids introducing runtime failures due to syntax issues
+      # Create isolated Python environment and install tools
+      # This avoids breaking system Python (PEP 668 compliant)
+      - name: Setup Python virtual environment
+        run: |
+          python3 -m venv .venv
+          . .venv/bin/activate
+          pip install --upgrade pip
+          pip install ansible-lint molecule molecule-plugins[docker]
+
+      # Basic Python syntax validation
       - name: Python syntax check
         run: |
           find migration-validation-framework -name "*.py" -exec python3 -m py_compile {} \;
 
-      # Run Ansible lint to enforce best practices and detect potential issues
-      # Uses ansible.cfg from the project directory
+      # Run Ansible lint using virtual environment
       - name: Ansible lint
         run: |
+          . .venv/bin/activate
           cd enterprise-infra-simulator
           ansible-lint
 
-      # Perform syntax validation of all playbooks
-      # Ensures playbooks are structurally correct before execution
+      # Validate Ansible playbook syntax
       - name: Ansible syntax check
         run: |
           cd enterprise-infra-simulator
           ansible-playbook --syntax-check playbooks/*.yml
 
       # Validate Docker Compose configuration
-      # Ensures compose file is valid and can be parsed correctly
       - name: Docker Compose validation
         run: |
           docker compose -f observability-stack/docker-compose.yml config
 
-      # Execute Molecule tests for Ansible roles
-      # This validates role behavior in an isolated container environment
+      # Run Molecule tests using virtual environment
       - name: Molecule test
         run: |
+          . .venv/bin/activate
           cd enterprise-infra-simulator
           molecule test