diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 07001b78..4d377095 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
   directory: "/"
   schedule:
     interval: "monthly"
+  cooldown:
+    default-days: 7
   groups:
     # Creates a separate PR for each non-security-related major update.
     major-version-updates:
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 5879ad3e..0235da79 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -1,6 +1,6 @@
 name: Add to Ecosystem WG Project
 
-on:
+on: # zizmor: ignore[dangerous-triggers]
   issues:
     types:
       - opened
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 9e1045e2..2b89b120 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -5,9 +5,13 @@ on:
     - cron: "15 8 * * *"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [windows-latest, macOS-latest, ubuntu-latest]
@@ -18,6 +22,7 @@ jobs:
           repository: electron/minimal-repro
           ref: refs/heads/main
           path: minimal-repro
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # tag: v6.3.0
         with:
@@ -37,9 +42,11 @@ jobs:
           npm install --save-dev @electron/packager@latest
         shell: bash
       - name: Package
+        env:
+          MATRIX_OS: ${{ matrix.os }}
         run: |
           cd minimal-repro
-          if [ "${{ matrix.os }}" == "macOS-latest" ]; then
+          if [ "$MATRIX_OS" == "macOS-latest" ]; then
             node_modules/.bin/electron-packager . --arch=universal
           else
             node_modules/.bin/electron-packager . --arch=all
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 84ceebd8..a3dfd772 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -15,10 +15,12 @@ jobs:
     environment: docs-publish
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: '.nvmrc'
-          cache: 'yarn'
+          package-manager-cache: false
       - name: Install dependencies
         run: yarn --immutable
       - name: Build API documentation
@@ -32,5 +34,5 @@ jobs:
       - name: Upload to Azure Blob Storage
         uses: azure/cli@9eb25b8360668fb0ecbafa808d40e2197b2f5f52 # v3.0.0
         with:
-          inlineScript: |
+          inlineScript: | # zizmor: ignore[template-injection] This only runs on tags
             az storage blob upload-batch --account-name ${{ secrets.AZURE_ECOSYSTEM_PACKAGES_STORAGE_ACCOUNT_NAME }} -d '$web/${{ github.event.repository.name }}/${{ github.ref_name }}' -s ./typedoc --overwrite --auth-mode login
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 42de4419..f94f2663 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,12 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   test:
+    permissions:
+      contents: read
     uses: ./.github/workflows/test.yml
 
   release:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index cf79856c..47dcaa77 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with: