diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml
index 5ed355959..c9dc6bd93 100644
--- a/.github/workflows/devcontainer-docker-image.yml
+++ b/.github/workflows/devcontainer-docker-image.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
     - name: Checkout source
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        persist-credentials: false
 
     - name: Setup Docker buildx
       uses: docker/setup-buildx-action@v3.7.1
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index bbbbd27ae..5e66fe6f2 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index afa32a443..e6ea6826f 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-test.yml
diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml
index 2dcb2dd3d..9879a8e55 100644
--- a/.github/workflows/pr-auto-label.yml
+++ b/.github/workflows/pr-auto-label.yml
@@ -1,16 +1,14 @@
 name: "Pull Request Labeler"
 on:
-- pull_request_target
+# The labeler doesn't execute any contributed code, so it should be fairly safe.
+- pull_request_target  # zizmor: ignore[dangerous-triggers]
 
 jobs:
   sync:
     permissions:
-      contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
     - name: Sync labels with closing issues
       uses: wd60622/closing-labels@v0.0.3
       with:
diff --git a/.github/workflows/rtd-link-preview.yml b/.github/workflows/rtd-link-preview.yml
index 626b410c3..62ba59107 100644
--- a/.github/workflows/rtd-link-preview.yml
+++ b/.github/workflows/rtd-link-preview.yml
@@ -1,15 +1,15 @@
 name: Read the Docs Pull Request Preview
 on:
-  pull_request_target:
+  # See <https://github.com/readthedocs/actions/issues/45>
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types:
       - opened
 
-permissions:
-  pull-requests: write
-
 jobs:
   documentation-links:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: readthedocs/actions/preview@v1
         with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index be2444921..268656f68 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -34,6 +34,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: dorny/paths-filter@v3
         id: changes
         with:
@@ -144,6 +145,8 @@ jobs:
         shell: bash -leo pipefail {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-test.yml
@@ -194,6 +197,8 @@ jobs:
         shell: cmd /C call {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/windows-environment-test.yml
@@ -253,6 +258,8 @@ jobs:
         shell: bash -leo pipefail {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-test.yml
@@ -297,6 +304,8 @@ jobs:
         shell: bash -leo pipefail {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/environment-jax.yml
@@ -341,6 +350,8 @@ jobs:
         shell: cmd /C call {0}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: conda-envs/windows-environment-test.yml
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 000000000..b747897eb
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+# https://github.com/woodruffw/zizmor
+name: zizmor GHA analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - uses: hynek/setup-cached-uv@v2
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor