diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml
new file mode 100644
index 0000000..00ea2bb
--- /dev/null
+++ b/.github/linters/zizmor.yaml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin
diff --git a/.github/workflows/add-labels-standardized.yaml b/.github/workflows/add-labels-standardized.yaml
index 2802969..38b4e6f 100644
--- a/.github/workflows/add-labels-standardized.yaml
+++ b/.github/workflows/add-labels-standardized.yaml
@@ -6,21 +6,22 @@ on:
       - opened
       - reopened
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   add-issue-labels:
+    permissions:
+      issues: write
     secrets:
       ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }}
       SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }}
-    uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v3
 
   slack-notification:
     needs: [add-issue-labels]
     if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-issue-labels.outputs.job-status) }}
     secrets:
       SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3
     with:
       job-status: ${{ needs.add-issue-labels.outputs.job-status }}
diff --git a/.github/workflows/add-to-project-senzing-dependabot.yaml b/.github/workflows/add-to-project-senzing-dependabot.yaml
index fc9cf52..9b1a0e4 100644
--- a/.github/workflows/add-to-project-senzing-dependabot.yaml
+++ b/.github/workflows/add-to-project-senzing-dependabot.yaml
@@ -4,14 +4,15 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  repository-projects: write
+permissions: {}
 
 jobs:
   add-to-project-dependabot:
+    permissions:
+      repository-projects: write
     secrets:
       SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v3
     with:
       project: ${{ vars.SENZING_GITHUB_ORGANIZATION_PROJECT }}
 
@@ -20,6 +21,6 @@ jobs:
     if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project-dependabot.outputs.job-status) }}
     secrets:
       SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3
     with:
       job-status: ${{ needs.add-to-project-dependabot.outputs.job-status }}
diff --git a/.github/workflows/add-to-project-senzing.yaml b/.github/workflows/add-to-project-senzing.yaml
index 627f1da..870bcca 100644
--- a/.github/workflows/add-to-project-senzing.yaml
+++ b/.github/workflows/add-to-project-senzing.yaml
@@ -6,16 +6,16 @@ on:
       - opened
       - reopened
 
-permissions:
-  repository-projects: write
+permissions: {}
 
 jobs:
   add-to-project:
+    permissions:
+      repository-projects: write
     secrets:
       SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v3
     with:
-      classic: false
       project-number: ${{ vars.SENZING_GITHUB_ORGANIZATION_PROJECT }}
       org: ${{ vars.SENZING_GITHUB_ACCOUNT_NAME }}
 
@@ -24,6 +24,6 @@ jobs:
     if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project.outputs.job-status) }}
     secrets:
       SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3
     with:
       job-status: ${{ needs.add-to-project.outputs.job-status }}
diff --git a/.github/workflows/dependabot-approve-and-merge.yaml b/.github/workflows/dependabot-approve-and-merge.yaml
index 326edea..ecee237 100644
--- a/.github/workflows/dependabot-approve-and-merge.yaml
+++ b/.github/workflows/dependabot-approve-and-merge.yaml
@@ -4,12 +4,13 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   dependabot-approve-and-merge:
+    permissions:
+      contents: write
+      pull-requests: write
     secrets:
       SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3
diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml
index c471330..a119dda 100644
--- a/.github/workflows/lint-workflows.yaml
+++ b/.github/workflows/lint-workflows.yaml
@@ -6,12 +6,13 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
-  packages: read
-  pull-requests: read
-  statuses: write
+permissions: {}
 
 jobs:
   lint-workflows:
-    uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v2
+    permissions:
+      contents: read
+      packages: read
+      pull-requests: read
+      statuses: write
+    uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3
diff --git a/.github/workflows/move-pr-to-done-dependabot.yaml b/.github/workflows/move-pr-to-done-dependabot.yaml
index 72b1f5f..d6cd67c 100644
--- a/.github/workflows/move-pr-to-done-dependabot.yaml
+++ b/.github/workflows/move-pr-to-done-dependabot.yaml
@@ -5,13 +5,14 @@ on:
     branches: [main]
     types: [closed]
 
-permissions:
-  repository-projects: write
+permissions: {}
 
 jobs:
   move-pr-to-done-dependabot:
+    permissions:
+      repository-projects: write
     secrets:
       SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }}
-    uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v2
+    uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v3
     with:
       project: ${{ vars.SENZING_GITHUB_ORGANIZATION_PROJECT }}
diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml
index bdd3f9d..8e8f35b 100644
--- a/.github/workflows/spellcheck.yaml
+++ b/.github/workflows/spellcheck.yaml
@@ -4,15 +4,18 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   spellcheck:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - uses: streetsidesoftware/cspell-action@v7
         with: