diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 71d1a51..e9ceae7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,13 +20,17 @@ env:
   # renovate: datasource=github-releases depName=PSScriptAnalyzer packageName=PowerShell/PSScriptAnalyzer
   PSSCRIPTANALYZER_VERSION: '1.24.0'
   TERM: xterm
+  # renovate: datasource=github-releases depName=zizmor packageName=zizmorcore/zizmor
+  ZIZMOR_VERSION: '1.12.1'
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
 
@@ -40,11 +44,17 @@ jobs:
     - name: Add actionlint problem matcher
       run: echo "::add-matcher::.github/actionlint-matcher.json"
 
-    - name: Lint workflows
+    - name: Lint workflows with actionlint
       uses: docker://rhysd/actionlint:1.7.7@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9
       with:
         args: -color
 
+    - name: Lint workflows with zizmor
+      uses: zizmorcore/zizmor-action@5ca5fc7a4779c5263a3ffa0e1f693009994446d1 # v0.1.2
+      with:
+        persona: pedantic
+        version: ${{ env.ZIZMOR_VERSION }}
+
     - name: Lint markdown
       uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e # v20.0.0
       with:
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
index 5ade0de..1f5a5f2 100644
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@@ -8,7 +8,7 @@ on:
     - cron: '0 5 * * MON'
   workflow_dispatch:
 
-permissions: read-all
+permissions: read-all # zizmor: ignore[excessive-permissions] Recommended permissions for OSSF Scorecard
 
 jobs:
   analysis:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 354ef78..c580a56 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           filter: 'tree:0'
+          persist-credentials: true # zizmor: ignore[artipacked] Needed to push commits
           show-progress: false
           token: ${{ secrets.COSTELLOBOT_TOKEN }}
 
@@ -43,7 +44,7 @@ jobs:
           script: |
             const { repo, owner } = context.repo;
             const draft = process.env.DRAFT === 'true';
-            
+
             let version = process.env.VERSION;
 
             if (version.startsWith('v')) {