diff --git a/.github/workflows/cleanup-pr-preview.yml b/.github/workflows/cleanup-pr-preview.yml
index e729f6214..a798170a2 100644
--- a/.github/workflows/cleanup-pr-preview.yml
+++ b/.github/workflows/cleanup-pr-preview.yml
@@ -13,10 +13,12 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: gh-pages
+          persist-credentials: false
       - run: git config user.name "github-actions[bot]"
       - run: git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
       - run: git rm -rf ${{ github.event.number }}
       - run: git commit -m 'Cleaning up gh-pages after ${{ github.event.number }}'
       - uses: ad-m/github-push-action@881a6320fdb16eb5318c5054f31c218aec2b324c # v1.3.0
         with:
+          github_token: ${{ github.token }}
           branch: gh-pages
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c4825bd65..571004be0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,6 +10,8 @@ on:
 env:
   FORCE_COLOR: 1
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 4f72748a6..5937721ce 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -6,6 +6,11 @@ on:
     branches:
       - main
 
+env:
+  FORCE_COLOR: 1
+
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 529c7646b..7e8b3dbd0 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -18,6 +18,8 @@ jobs:
           python-version: "3.x"
       - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - run: sudo apt-get install -y gettext
       - run: pip install -r requirements.txt
       - run: uv run generate.py  # generates index.html and index.json
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 813406079..f489859b8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -52,5 +52,10 @@ repos:
       - id: djlint-reformat-jinja
       - id: djlint-jinja
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f  # frozen: v1.22.0
+    hooks:
+      - id: zizmor
+
 ci:
   autoupdate_schedule: quarterly