diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0eb8e1a..e2cce5c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -10,13 +10,17 @@ jobs:
   main-uvx:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - name: self test action (uvx path)
       uses: ./
   main-uv-run:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - run: printf '[project]\nname = "test"\nversion = "0.0.0"\nrequires-python = ">=3.13"\n' > pyproject.toml
       shell: bash
     - name: self test action (uv run path)
@@ -24,8 +28,10 @@ jobs:
   main-external-uv:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: astral-sh/setup-uv@v7
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
     - name: self test action (external uv)
       uses: ./
       with:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 312fcb4..79ce316 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,5 +6,9 @@ repos:
     -   id: end-of-file-fixer
     -   id: check-yaml
 
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
 ci:
   autoupdate_schedule: quarterly