diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b1c4d80b1..c86dd26fd 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
     labels:
       - "Github CI/CD"
       - "no releasenotes"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml
index 6ca56d7c3..59c96586a 100644
--- a/.github/workflows/devcontainer-docker-image.yml
+++ b/.github/workflows/devcontainer-docker-image.yml
@@ -1,5 +1,7 @@
 name: devcontainer-docker-image
 
+permissions: {}
+
 on:
   workflow_dispatch:
   schedule:
@@ -18,7 +20,6 @@ jobs:
     # Set permissions for GitHub token
     # <https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github>
     permissions:
-      contents: read
       packages: write
 
     steps:
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index fc0f4f7a5..32cbf4d4c 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,5 +1,7 @@
 name: docker-image
 
+permissions: {}
+
 on:
   release:
     types:
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index f4e1667dc..97acc6117 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -1,5 +1,7 @@
 name: mypy
 
+permissions: {}
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml
index e3ba52d1c..4149f9d5a 100644
--- a/.github/workflows/pr-auto-label.yml
+++ b/.github/workflows/pr-auto-label.yml
@@ -1,4 +1,7 @@
 name: "Pull Request Labeler"
+
+permissions: {}
+
 on:
 # The labeler doesn't execute any contributed code, so it should be fairly safe.
 - pull_request_target  # zizmor: ignore[dangerous-triggers]
diff --git a/.github/workflows/publish-release-notes-to-discourse.yml b/.github/workflows/publish-release-notes-to-discourse.yml
index 9c09dd235..2ac445a97 100644
--- a/.github/workflows/publish-release-notes-to-discourse.yml
+++ b/.github/workflows/publish-release-notes-to-discourse.yml
@@ -1,5 +1,7 @@
 name: Publish Release Notes to Discourse
 
+permissions: {}
+
 on:
   release:
     types: [published]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 468bccd92..ab14c1993 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,7 @@
 name: release-pipeline
 
+permissions: {}
+
 on:
   push:
     branches:
diff --git a/.github/workflows/slash_dispatch.yml b/.github/workflows/slash_dispatch.yml
index 8fc1ddf34..50eb79f75 100644
--- a/.github/workflows/slash_dispatch.yml
+++ b/.github/workflows/slash_dispatch.yml
@@ -1,4 +1,7 @@
 name: Slash Command Dispatch
+
+permissions: {}
+
 on:
   issue_comment:
     types: [created]
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 6474583ce..97b3afcb5 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,5 +1,7 @@
 name: tests
 
+permissions: {}
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index cb5fd714c..9a058503a 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,5 +1,5 @@
-# https://github.com/woodruffw/zizmor
-name: zizmor GHA analysis
+# Source: <https://github.com/zizmorcore/zizmor-action>
+name: GitHub Actions Security Analysis with zizmor 🌈
 
 on:
   push:
@@ -7,30 +7,20 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
-    name: zizmor latest via PyPI
     runs-on: ubuntu-latest
     permissions:
       security-events: write
+      # contents: read # only needed for private repos
+      # actions: read # only needed for private repos
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
-
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
-          # Optional category for the results
-          # Used to differentiate multiple results for one commit
-          category: zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0