diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml
new file mode 100644
index 000000000..81a6873e6
--- /dev/null
+++ b/.github/workflows/actionci.yml
@@ -0,0 +1,22 @@
+name: Action CI
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "master"
+  pull_request:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  actionci:
+    permissions:
+      contents: read
+      security-events: write
+    uses: smallstep/workflows/.github/workflows/actionci.yml@main
+    secrets: inherit
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
deleted file mode 100644
index 8e9248e08..000000000
--- a/.github/workflows/actionlint.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: Lint GitHub Actions workflows
-on:
-  push:
-  workflow_call:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  actionlint:
-    uses: smallstep/workflows/.github/workflows/actionlint.yml@main
-    secrets: inherit
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9b831a90b..f4ffd1f89 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,8 +16,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/goCI.yml@main
     with:
       only-latest-golang: false
diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
index 9a35b7fe6..b0af523f4 100644
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a7c233cfe..8a44ea6c0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,13 +6,20 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: write
+
 jobs:
   ci:
+    permissions:
+      contents: read
     uses: smallstep/certificates/.github/workflows/ci.yml@master
     secrets: inherit
 
   create_release:
     name: Create Release
+    permissions:
+      contents: write
     needs: ci
     runs-on: ubuntu-latest
     env:
@@ -25,9 +32,11 @@ jobs:
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 000000000..92a614677
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,12 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "smallstep/*": ref-pin
+  secrets-inherit:
+    disable: true
+  ref-confusion:
+    disable: true
+  dangerous-triggers:
+    ignore:
+      - triage.yml