diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index e15c79f..053f59f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,13 +7,17 @@ on:
   pull_request:
     branches:
       - '**'
+
+permissions: {}
+
 jobs:
   lint:
-
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
       - name: Run linter
         working-directory: ./tools/lint
         run: go run . ../../CP-CPS.md
diff --git a/.github/workflows/pr_tools.yml b/.github/workflows/pr_tools.yml
index baa38d7..4f27025 100644
--- a/.github/workflows/pr_tools.yml
+++ b/.github/workflows/pr_tools.yml
@@ -7,18 +7,22 @@ on:
   pull_request:
     branches:
       - '**'
+
+permissions: {}
+      
 jobs:
   build:
-
     runs-on: ubuntu-latest
     strategy:
       matrix:
         python-version: [3.8, 3.12.3]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..2d981a0
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+name:  Lint GitHub Actions
+
+on:
+  push:
+    branches:
+      - main
+      - release-branch-*
+  pull_request:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+
+    env:
+      ZIZMOR_IMAGE: ghcr.io/zizmorcore/zizmor:1.25.2@sha256:14ea7f5cc7c67933394a35b5a38a277397818d232602635edb2010b313afb110
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          docker run \
+            --volume "${GITHUB_WORKSPACE}:/src:ro" \
+            --workdir "/src" \
+            --env "GH_TOKEN" \
+            "$ZIZMOR_IMAGE" -- /src