diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8ac6b8c4..177b067f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index e236f78d..37d9ef67 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -4,7 +4,7 @@ on:
   issues:
     types:
       - opened
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 356b84d7..290583ab 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -5,20 +5,23 @@ on:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+*
 
-permissions:
-      id-token: write
-      contents: read
+permissions: {}
 
 jobs:
   docs:
     runs-on: ubuntu-latest
     environment: docs-publish
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # tag: v6.0.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # tag: v6.2.0
         with:
           node-version: 22.12.x
-          cache: 'yarn'
+          package-manager-cache: false
       - name: Install dependencies
         run: yarn --immutable
       - name: Build API documentation
@@ -32,5 +35,5 @@ jobs:
       - name: Upload to Azure Blob Storage
         uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956  # tag: v2.2.0
         with:
-          inlineScript: |
+          inlineScript: | # zizmor: ignore[template-injection] This only runs on tags
             az storage blob upload-batch --account-name ${{ secrets.AZURE_ECOSYSTEM_PACKAGES_STORAGE_ACCOUNT_NAME }} -d '$web/get/${{ github.ref_name }}' -s ./docs --overwrite --auth-mode login
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bfc9a12a..0e37b956 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,12 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   test:
+    permissions:
+      contents: read
     uses: ./.github/workflows/test.yml
 
   release:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9abd5366..5e69636c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,8 +8,7 @@ on:
     - cron: '0 22 * * 3'
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
@@ -23,10 +22,14 @@ jobs:
           - ubuntu-latest
           - windows-latest
     runs-on: "${{ matrix.os }}"
+    permissions:
+      contents: read
     steps:
       - run: git config --global core.autocrlf input
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with: