diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
index 4e684bde..4098fcda 100644
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -5,6 +5,9 @@ on:
     tags: ["*"]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.name }}
@@ -19,6 +22,8 @@ jobs:
           - { name: "dev", python: "3.14", tox: py314-marshmallowdev }
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python }}
@@ -29,6 +34,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.14"
@@ -52,6 +59,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.14"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4172a529..48fcf609 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -9,6 +9,10 @@ repos:
   hooks:
     - id: check-github-workflows
     - id: check-readthedocs
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.24.0
+  hooks:
+    - id: zizmor
 - repo: https://github.com/asottile/blacken-docs
   rev: 1.20.0
   hooks: