diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index bc63aca35b..1bc0eb3ff2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
     directory: '/'
     schedule:
       interval: 'monthly'
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index e236f78d2f..37d9ef6761 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -4,7 +4,7 @@ on:
   issues:
     types:
       - opened
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9776af79ea..e9afdc4fe3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,12 +4,14 @@ on:
   push:
     branches:
       - main
-    tags:
+    tags: # zizmor: ignore[cache-poisoning] this isn't used in a release workflow
       - v[0-9]+.[0-9]+.[0-9]+*
   pull_request:
   merge_group:
     types: [checks_requested]
 
+permissions: {}
+
 env:
   NODE_VERSION: 20.17.0
 
@@ -24,7 +26,6 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-          # cache: yarn
 
       # TODO(Forge 8): remove this once we can upgrade to `@electron/rebuild` v4
       - name: Set up Python 3.11 (with distutils)
@@ -34,6 +35,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: yarn install --immutable
@@ -83,7 +86,6 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-          # cache: yarn
 
       # TODO(Forge 8): remove this once we can upgrade to `@electron/rebuild` v4
       - name: Set up Python 3.11 (with distutils)
@@ -93,6 +95,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: yarn install --immutable
@@ -159,7 +163,6 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-          # cache: yarn
 
       # TODO(Forge 8): remove this once we can upgrade to `@electron/rebuild` v4
       - name: Set up Python 3.11 (with distutils)
@@ -169,6 +172,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: yarn install --immutable
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index 7aa03e89d1..495e2ea23a 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -6,9 +6,13 @@ on:
     tags:
       - v7.**
 
+permissions: {}
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:
@@ -23,6 +27,7 @@ jobs:
           submodules: true
           fetch-depth: 0
           token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: false
 
       - name: Get short SHA for HEAD
         id: get-short-sha
@@ -32,7 +37,7 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: 20.x
-          cache: yarn
+          package-manager-cache: false
 
       - name: Build
         shell: bash
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 936d994153..8860a464b7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,10 +5,14 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   check-release-criteria:
     name: Check Release Criteria
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       should_release: ${{ steps.check.outputs.should_release }}
     steps:
@@ -16,6 +20,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Check release criteria
         id: check
@@ -94,11 +99,14 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.0.1
         with:
           node-version-file: '.nvmrc'
+          package-manager-cache: false
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
@@ -123,4 +131,5 @@ jobs:
       - name: Create GitHub release
         env:
           GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).GITHUB_TOKEN }}
-        run: gh release create "v${{ steps.version.outputs.version }}" --target ${{ github.sha }} --generate-notes --prerelease
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+        run: gh release create "v${STEPS_VERSION_OUTPUTS_VERSION}" --target ${{ github.sha }} --generate-notes --prerelease