diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8452ef0..5621e4b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,3 +10,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index cefaff1..3a2f852 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,11 +2,11 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
-
-permissions:
-  contents: read
+  RUFF_OUTPUT_FORMAT: github
 
 jobs:
   lint:
@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml
index 3c6652b..885c30b 100644
--- a/.github/workflows/pypi-package.yml
+++ b/.github/workflows/pypi-package.yml
@@ -8,8 +8,7 @@ on:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
@@ -22,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
 
       - name: Compile translations
@@ -55,5 +56,3 @@ jobs:
 
       - name: Upload package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          attestations: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a0ce5d2..7b9875e 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -2,6 +2,8 @@ name: Tests
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
@@ -18,6 +20,8 @@ jobs:
             branch: "main"
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
@@ -63,6 +67,8 @@ jobs:
         python-version: ["3.12", "3"]
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..9b42b47
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,10 @@
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  dangerous-triggers:
+    ignore:
+      - documentation-links.yml
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 9a7e83b..af1d14d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -32,6 +32,11 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.17.0
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.5.0
     hooks: