diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f6faee6..8e5296d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
     groups:
       github-actions:
         patterns:
diff --git a/.github/workflows/pint-lint.yml b/.github/workflows/pint-lint.yml
index 4e6f0a2..2a9e2af 100644
--- a/.github/workflows/pint-lint.yml
+++ b/.github/workflows/pint-lint.yml
@@ -1,20 +1,24 @@
 name: Lint PHP code style issues
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   pull_request:
     paths:
       - '**.php'
 
+permissions: {}
+
 jobs:
-  lint-php-code-styling:
+  lint-php-code-styling: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Check PHP code style issues
         uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6
         with:
           testMode: true
-          verboseMode: true
\ No newline at end of file
+          verboseMode: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7eea863..6e1d6f4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,17 +1,23 @@
 name: Release
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   push:
     tags:
       - "v*"
 
+permissions: {}
+
 jobs:
-  release:
+  release: # zizmor: ignore[anonymous-definition]
     name: Prepare & Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # create GitHub release and upload assets
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
         uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
@@ -39,22 +45,15 @@ jobs:
           version: ${{ github.ref }}
 
       - name: Create release
-        id: create_release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          body: ${{ steps.changelog.outputs.text }}
-          prerelease: ${{ contains(github.ref, '-beta') }}
-
-      - name: Upload zip to release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist.tar.gz
-          asset_name: dist.tar.gz
-          asset_content_type: application/tar+gz
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ steps.changelog.outputs.version }}
+          RELEASE_NOTES: ${{ steps.changelog.outputs.text }}
+        run: |
+          PRERELEASE=""
+          if [[ "$RELEASE_VERSION" == *-beta* ]]; then PRERELEASE="--prerelease"; fi
+          gh release create "$RELEASE_VERSION" \
+            --title "$RELEASE_VERSION" \
+            --notes "$RELEASE_NOTES" \
+            $PRERELEASE \
+            ./dist.tar.gz
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 33ba8ed..fb2a2ca 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,12 +1,14 @@
 name: Test Suite
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   push:
     branches:
       - main
       - '*.x'
   pull_request:
 
+permissions: {}
+
 jobs:
   php_tests:
     if: "!contains(github.event.head_commit.message, 'changelog')"
@@ -25,6 +27,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
         uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
@@ -33,9 +37,12 @@ jobs:
           extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, imagick
 
       - name: Install dependencies
+        env:
+          LARAVEL: ${{ matrix.laravel }}
+          STABILITY: ${{ matrix.stability }}
         run: |
-          composer require "illuminate/contracts:${{ matrix.laravel }}" --no-interaction --no-update
-          composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-suggest
+          composer require "illuminate/contracts:$LARAVEL" --no-interaction --no-update
+          composer update --$STABILITY --prefer-dist --no-interaction --no-suggest
 
       - name: Run PHPUnit
         run: vendor/bin/phpunit
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..1278d67
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+    paths:
+      - '.github/**.yml'
+  pull_request:
+    paths:
+      - '.github/**.yml'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    uses: statamic/.github/.github/workflows/zizmor.yml@7e941c239074d66da6cad3322bec3b1005c80cf7
+    permissions: {}