diff --git a/.github/workflows/downstream.yaml b/.github/workflows/downstream.yaml
index dce99736b..56fd9ccfc 100644
--- a/.github/workflows/downstream.yaml
+++ b/.github/workflows/downstream.yaml
@@ -20,10 +20,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: poetry-core
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           path: poetry
           repository: python-poetry/poetry
           ref: ${{ matrix.ref }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 46de7f037..03ec859a8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -9,7 +9,9 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - run: pipx run build
 
@@ -27,16 +29,19 @@ jobs:
     needs: build
     steps:
       # We need to be in a git repo for gh to work.
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: distfiles
           path: dist/
 
-      - run: gh release upload ${{ github.event.release.tag_name }} dist/*.{tar.gz,whl}
+      - run: gh release upload "${TAG_NAME}" dist/*.{tar.gz,whl}
         env:
           GH_TOKEN: ${{ github.token }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
 
   upload-pypi:
     name: Upload (PyPI)
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index d1d3ccca3..a8f28b5b1 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -32,6 +32,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
diff --git a/.github/workflows/update-licenses.yaml b/.github/workflows/update-licenses.yaml
index 2bf3fecf7..17aa774e2 100644
--- a/.github/workflows/update-licenses.yaml
+++ b/.github/workflows/update-licenses.yaml
@@ -11,6 +11,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.10
         uses: actions/setup-python@v5
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bb9e1370c..40dde5162 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -30,3 +30,11 @@ repos:
     hooks:
       - id: ruff
       - id: ruff-format
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        # types and files can be removed with https://github.com/woodruffw/zizmor-pre-commit/pull/2
+        types: [yaml]
+        files: \.github/workflows/.*$