diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 450fdbb2..ac749860 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -57,6 +57,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ec10212e..e078218f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,12 +24,16 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.x"
       - name: Check package metadata
-        run: python scripts/check_package.py ${{ github.ref }}
+        env:
+          GITHUB_REF: ${{ github.ref }}
+        run: python scripts/check_package.py "${GITHUB_REF}"
       - name: Install pypa/build
         run: |
           # Be wary of running `pip install` here, since it becomes easy for us to
@@ -52,6 +56,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -79,6 +85,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -105,6 +113,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -149,4 +159,4 @@ jobs:
       - name: Ensure exactly one sdist and one wheel have been downloaded
         run: test "$(find dist/*.tar.gz | wc -l | xargs)" = 1 && test "$(find dist/*.whl | wc -l | xargs)" = 1
       - name: Publish distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc
diff --git a/.github/workflows/third_party.yml b/.github/workflows/third_party.yml
index 7d7d8bcc..4e2e895f 100644
--- a/.github/workflows/third_party.yml
+++ b/.github/workflows/third_party.yml
@@ -63,6 +63,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Add local version of typing_extensions as a dependency
         run: cd pydantic; uv add --editable ../typing-extensions-latest
       - name: Install pydantic test dependencies
@@ -94,6 +95,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install typing_inspect test dependencies
         run: |
           set -x
@@ -131,6 +133,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install pycroscope test requirements
         run: |
           set -x
@@ -168,6 +171,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install typeguard test requirements
         run: |
           set -x
@@ -205,6 +209,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Configure git for typed-argument-parser tests
         # typed-argument parser does this in their CI,
         # and the tests fail unless we do this
@@ -249,6 +254,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install mypy test requirements
         run: |
           set -x
@@ -284,6 +290,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install pdm for cattrs
         run: pip install pdm
       - name: Add latest typing-extensions as a dependency
@@ -326,6 +333,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install sqlalchemy test dependencies
         run: uv pip install --system tox setuptools
       - name: List installed dependencies
@@ -362,6 +370,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: typing-extensions-latest
+          persist-credentials: false
       - name: Install uv
         run: curl -LsSf https://astral.sh/uv/install.sh | sh
       - name: Run litestar tests
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 9984bf0f..5940d741 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -37,6 +37,10 @@ repos:
           # and checks these with shellcheck. This is arguably its most useful feature,
           # but the integration only works if shellcheck is installed
           - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0"
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.11.0
+    hooks:
+      - id: zizmor
   - repo: meta
     hooks:
       - id: check-hooks-apply