diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 91d99ec3..137b4b50 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,6 +32,8 @@ jobs:
       code-changed: ${{ steps.filter.outputs.code }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
deleted file mode 100644
index 06cb4478..00000000
--- a/.github/workflows/deny.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-name: Cargo Deny
-
-permissions: {}
-
-on:
-  workflow_dispatch:
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - 'Cargo.lock'
-      - 'deny.toml'
-      - '.github/workflows/deny.yml'
-  push:
-    branches:
-      - main
-    paths:
-      - 'Cargo.lock'
-      - 'deny.toml'
-      - '.github/workflows/deny.yml'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: ${{ github.ref_name != 'main' }}
-
-jobs:
-  deny:
-    name: Cargo Deny
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-          submodules: true
-
-      - uses: oxc-project/setup-rust@d286d43bc1f606abbd98096666ff8be68c8d5f57 # v1.0.0
-        with:
-          restore-cache: false
-          tools: cargo-deny
-
-      - run: cargo deny check
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 00000000..bed28828
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,24 @@
+name: Security Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+jobs:
+  security:
+    name: Security Analysis
+    runs-on: ubuntu-slim
+    steps:
+      - uses: oxc-project/security-action@4211cd3f56ba742507263ea4a999f3be4165a53c # v1.0.1
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
deleted file mode 100644
index 476977bc..00000000
--- a/.github/workflows/zizmor.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-name: Zizmor
-
-permissions: {}
-
-on:
-  workflow_dispatch:
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - '.github/workflows/**'
-  push:
-    branches:
-      - main
-      - 'renovate/**'
-    paths:
-      - '.github/workflows/**'
-
-jobs:
-  zizmor:
-    name: zizmor
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-          submodules: true
-
-      - uses: taiki-e/install-action@ae97ff9daf1cd2e216671a047d80ff48461e30bb # v2.49.1
-        with:
-          tool: zizmor
-
-      - name: Run zizmor
-        run: zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
-        with:
-          sarif_file: results.sarif
-          category: zizmor