diff --git a/.cspell.json b/.cspell.json
index 67d544d54..37b3e1d6c 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -47,6 +47,7 @@
     "langtag",
     "lded",
     "llms",
+    "micnncim",
     "mingo",
     "msapplication",
     "nextid",
@@ -86,10 +87,15 @@
     "webp",
     "withastro",
     "xiang",
-    "Yanis"
+    "Yanis",
+    "ZIZMOR"
   ],
   "allowCompoundWords": true,
   "language": "en,en-US",
-  "ignorePaths": ["*.mjs", ".cspell.json", "data-store.json"],
+  "ignorePaths": [
+    "*.mjs",
+    ".cspell.json",
+    "data-store.json"
+  ],
   "useGitignore": true
 }
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e3259b8db..12245e216 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9fc04cbf5..1fcef8f0e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: ⬇️ Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: ⎔ Setup node
         uses: actions/setup-node@v4
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 4759eabc0..23d9bffff 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -14,6 +14,9 @@ jobs:
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
       - uses: streetsidesoftware/cspell-action@v7
         with:
           check_dot_files: false
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index 4fc23aa80..eb5506a3a 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -27,9 +27,10 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Super-linter
-        uses: super-linter/super-linter/slim@v8
+        uses: super-linter/super-linter/slim@v8.1.0
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: '/test/'
@@ -45,6 +46,7 @@ jobs:
           VALIDATE_CSS_PRETTIER: false
           VALIDATE_EDITORCONFIG: false
           VALIDATE_GIT_COMMITLINT: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JAVASCRIPT_ES: false
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 729488d70..0db70e74e 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - uses: micnncim/action-label-syncer@v1
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 827e9aeaa..a1218b0d0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: ⬇️ Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: ⎔ Setup node
         uses: actions/setup-node@v4
@@ -47,6 +49,8 @@ jobs:
 
       - name: ⬇️ Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: ⎔ Setup node ${{ matrix.node }}
         uses: actions/setup-node@v4