diff --git a/.cspell.json b/.cspell.json
index 96eabed..64ab47b 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -12,9 +12,11 @@
     "nvmrc",
     "rollup",
     "ruleset",
+    "sarif",
     "tagname",
     "vite",
-    "VSIX"
+    "VSIX",
+    "ZIZMOR"
   ],
   "flagWords": [
     "hte"
diff --git a/.cursor/rules/general.mdc b/.cursor/rules/general.mdc
index ae692e6..80a5af7 100644
--- a/.cursor/rules/general.mdc
+++ b/.cursor/rules/general.mdc
@@ -3,8 +3,9 @@ description:
 globs:
 alwaysApply: true
 ---
+
 - Before declaring a task is complete, compile the extension to ensure it completes with no errors.
 - Never downgrade dependencies
 - Always run commands using PowerShell on Windows
 - Newly added version/features for the Extension Changelog go at the top.
-- As a general rule: rules, attributes, lists shoud be alphabetical order.
+- As a general rule: some rules, attributes, lists should be in alphabetical order.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..6b4c901
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,3 @@
+# About CODEOWNERS - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+* @coliff
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8672dc7..78acbf8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -27,10 +27,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
@@ -39,9 +41,9 @@ jobs:
               - test/*
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pubish.yml b/.github/workflows/publish.yml
similarity index 70%
rename from .github/workflows/pubish.yml
rename to .github/workflows/publish.yml
index 1ea17ae..9e4b12a 100644
--- a/.github/workflows/pubish.yml
+++ b/.github/workflows/publish.yml
@@ -5,13 +5,19 @@ on:
   workflow_dispatch:
 
 name: Deploy Extension
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
 
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 551b93e..09d1be5 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -13,8 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: streetsidesoftware/cspell-action@v7
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - uses: streetsidesoftware/cspell-action@dcd03dc3e8a59ec2e360d0c62db517baa0b4bb6d # v7.2.0
         with:
           check_dot_files: false
           incremental_files_only: true
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index c99d0de..21bca17 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -19,9 +19,10 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@v8
@@ -35,6 +36,7 @@ jobs:
           SUPPRESS_POSSUM: true
           VALIDATE_ALL_CODEBASE: false
           VALIDATE_EDITORCONFIG: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JSCPD: false
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9e05c36..77cc491 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -27,12 +27,12 @@ jobs:
 
     steps:
       - name: Clone repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node }}
           cache: npm