diff --git a/.github/workflows/apidocs.yml b/.github/workflows/apidocs.yml
index 8cb89ba..1a3fd6d 100644
--- a/.github/workflows/apidocs.yml
+++ b/.github/workflows/apidocs.yml
@@ -6,12 +6,20 @@ on:
     tags:
       - '*'
 
+# Set minimal permissions by default
+permissions: {}
+
 jobs:
   deploy:
     runs-on: macos-latest
+    permissions:
+      contents: read
+      pages: write
 
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.8
         uses: actions/setup-python@v2
         with:
@@ -24,7 +32,7 @@ jobs:
         run: ./apidocs.sh
 
       - name: Push API documentation to Github Pages
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./apidocs
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8192288..ca27ad4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
       - '*'
   pull_request:
 
+# Set minimal permissions by default
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
@@ -16,15 +19,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
           python-version: 3.13
 
-      - name: Run linters
-        run: |
-          python -m pip install --upgrade pip black
-          black . --check
+      - name: Install linters
+        run: python -m pip install --upgrade pip black zizmor
+
+      - name: Black
+        run: black . --check
+
+      - name: Zizmor
+        run: find .github/workflows -name '*.yml' | xargs zizmor --config .github/zizmor.yml
 
   test:
     name: ${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.use-docker && '(docker)' || '' }}
@@ -53,6 +62,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         if: ${{ !matrix.use-docker }}
@@ -97,6 +108,8 @@ jobs:
     needs: test
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
@@ -143,12 +156,14 @@ jobs:
         id-token: write
       steps:
         - uses: actions/checkout@v4
+          with:
+            persist-credentials: false
 
         - name: Set up Python 3.12
           uses: actions/setup-python@v5
           with:
             python-version: 3.12
-        
+
         - name: Install build dependencies
           run: |
             python -m pip install -U setuptools wheel
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..b84956d
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    ignore: []
+    config:
+      policies:
+        actions/*: ref-pin
+        pypa/gh-action-pypi-publish: ref-pin