diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index c8342e0..9e15e1c 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -11,9 +11,14 @@ defaults:
   run:
     shell: bash
 
+# no permissions by default
+permissions: {}
+
 jobs:
   run:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
@@ -44,5 +49,3 @@ jobs:
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: docs/_build/html
-    permissions:
-      actions: write
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index dff9d98..33f58c7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,12 +26,12 @@ repos:
 
 
 - repo: https://github.com/charliermarsh/ruff-pre-commit
-  rev: v0.11.13
+  rev: v0.12.7
   hooks:
     - id: ruff
 
 - repo: https://github.com/woodruffw/zizmor-pre-commit
-  rev: v1.9.0
+  rev: v1.11.0
   hooks:
     - id: zizmor