diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 9f1155a7f6..f2f05b4be2 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -152,9 +152,32 @@ jobs:
     strategy:
       fail-fast: false
 
+      # Targets:
+      #   - valgrind-full:    all tests on valgrind, aiming to catch memory bugs
+      #   - valgrind:         reduced set of tests on valgrind, aiming to catch memory bugs
+      #   - valgrind-ct-full: all tests on valgrind, aiming to catch secret-dependent execution issues
+      #   - valgrind-ct:      reduced set of tests on valgrind, aiming to catch secret-dependent execution issues
+
       matrix:
-        compiler: [clang, gcc]
-        cxxflags: ["-O0", "-O1", "-O2", "-O3", "-Os"]
+        # Run a matrix of compiler and optimization flag combinations to maximize
+        # the signal of secret-dependent execution issues introduced by compilers.
+        compiler: ["clang", "gcc"]
+        cxxflags: ["-O1", "-O2", "-O3"]
+        target:   ["valgrind-ct-full"]
+
+        include:
+          - compiler: clang
+            cxxflags: "-O3"
+            target:   "valgrind-full" # memory bug detection
+          - compiler: clang
+            cxxflags: "-Os"
+            # Clang's -Os generated binary is fast enough to run the full test suite.
+            target:   "valgrind-ct-full"
+          - compiler: gcc
+            cxxflags: "-Os"
+            # GCC with -Os generates a much slower binary, that won't finish
+            # before timing out on GH Actions, so we run a reduced set of tests.
+            target:   "valgrind-ct-reduced"
 
     runs-on: ubuntu-24.04
 
@@ -163,25 +186,18 @@ jobs:
 
       - name: Create Cache Key Hash
         run: |
-          hash=$(echo "${{ matrix.compiler }}${{ matrix.cxxflags }}" | sha256sum | head -c 10)
+          # Hashing the optimization flag value as this might contain spaces.
+          hash=$(echo "${{ matrix.cxxflags }}" | sha256sum | head -c 10)
           echo "CACHE_KEY_HASH=${hash}" >> $GITHUB_ENV
 
       - name: Setup Build Agent
         uses: ./.github/actions/setup-build-agent
         with:
           target: valgrind-full
-          cache-key: linux-x86_64-valgrind-full-${{ env.CACHE_KEY_HASH }}
-
-      - name: Determine Valgrind Target
-        run: |
-          if [[ "${{ matrix.cxxflags }}" == "-O0" || ("${{ matrix.cxxflags }}" == "-Os" && "${{ matrix.compiler }}" == "gcc") ]]; then
-            echo "VALGRIND_TARGET=valgrind" >> $GITHUB_ENV
-          else
-            echo "VALGRIND_TARGET=valgrind-full" >> $GITHUB_ENV
-          fi
+          cache-key: linux-x86_64-${ matrix.compiler }-${{ matrix.target }}-${{ env.CACHE_KEY_HASH }}
 
       - name: Valgrind Checks
-        run: python3 ./src/scripts/ci_build.py --make-tool=make --cc=${{ matrix.compiler }} --custom-optimization-flags="${{ matrix.cxxflags }}" ${{ env.VALGRIND_TARGET }}
+        run: python3 ./src/scripts/ci_build.py --make-tool=make --cc=${{ matrix.compiler }} --custom-optimization-flags="${{ matrix.cxxflags }}" ${{ matrix.target }}
 
   hybrid_tls_interop:
     name: "PQ/T TLS 1.3"