diff --git a/.github/workflows/check-pr-labels.yaml b/.github/workflows/check-pr-labels.yaml
index 4fbb7fc0b..a6a68e880 100644
--- a/.github/workflows/check-pr-labels.yaml
+++ b/.github/workflows/check-pr-labels.yaml
@@ -1,6 +1,6 @@
 name: Ready
 on:
-  pull_request_target:
+  pull_request:
     types:
       - labeled
       - opened
@@ -8,6 +8,8 @@ on:
       - synchronize
       - unlabeled
 
+permissions: {}
+
 jobs:
   hold:
     if: github.event.pull_request.merged == false
diff --git a/.github/workflows/container_image.yaml b/.github/workflows/container_image.yaml
index eed5f71da..7c59e8e37 100644
--- a/.github/workflows/container_image.yaml
+++ b/.github/workflows/container_image.yaml
@@ -17,10 +17,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
 
     - run: |
-        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io
+        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env]
 
         docker build -t ${{ env.image_tag_branch }} .
         docker push ${{ env.image_tag_branch }}
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 3cc044e21..4ff55e984 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -28,17 +28,19 @@ jobs:
     runs-on: ubuntu-${{ matrix.ubuntu_version }}
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Deploy devstack
-      uses: EmilienM/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1
+      uses: gophercloud/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 # tag=v0.19
       with:
         enable_workaround_docker_io: 'false'
         branch: ${{ matrix.openstack_version }}
         enabled_services: "openstack-cli-server"
 
     - name: Deploy a Kind Cluster
-      uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
+      uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # tag=v1.14.0
       with:
         cluster_name: orc
 
@@ -50,7 +52,7 @@ jobs:
     - name: Deploy orc
       run: |
         kubectl config use-context kind-orc
-        make deploy IMG=${{ env.image_tag }}
+        make deploy IMG=${{ env.image_tag }} LOGLEVEL=5
 
     - name: Run e2e tests
       run: make test-e2e
@@ -63,7 +65,7 @@ jobs:
 
     - name: Upload logs artifacts on failure
       if: failure()
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7
       with:
         name: e2e-${{ matrix.name }}-${{ github.run_id }}
         path: /tmp/artifacts/*
diff --git a/.github/workflows/generate.yaml b/.github/workflows/generate.yaml
index 9a1eb5807..b347c5f34 100644
--- a/.github/workflows/generate.yaml
+++ b/.github/workflows/generate.yaml
@@ -12,7 +12,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - run: |
           make generate
diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml
index f88b3a130..c1dfd6ba8 100644
--- a/.github/workflows/go-lint.yaml
+++ b/.github/workflows/go-lint.yaml
@@ -12,16 +12,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Calculate go version
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
 
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
         with:
           go-version: ${{ steps.vars.outputs.go_version }}
+          cache: false
 
       - run: |
           make lint 
diff --git a/.github/workflows/label-pr.yaml b/.github/workflows/label-pr.yaml
index e226f3263..723dc1f87 100644
--- a/.github/workflows/label-pr.yaml
+++ b/.github/workflows/label-pr.yaml
@@ -1,92 +1,84 @@
 name: Label PR
 on:
+  # zizmor: ignore[dangerous-triggers] edits job only runs actions/labeler, no code checkout
   pull_request_target:
     types:
       - opened
       - synchronize
       - reopened
-permissions:
-  contents: read
-  pull-requests: write
+  # zizmor: ignore[dangerous-triggers] semver-label job never checks out or executes untrusted code
+  workflow_run:
+    workflows: ["Semver analysis"]
+    types:
+      - completed
+
+permissions: {}
 
 jobs:
-  semver:
+  semver-label:
+    if: github.event_name == 'workflow_run'
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      pull-requests: write
     steps:
-    - uses: actions/checkout@v6
+    - name: Download semver results
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1
       with:
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-        token: ${{ secrets.GITHUB_TOKEN }}
+        name: semver-results
+        run-id: ${{ github.event.workflow_run.id }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Read PR number
+      id: pr
+      run: echo "number=$(cat pr-number)" >> $GITHUB_OUTPUT
 
-    - name: Rebase the PR against origin/github.base_ref to ensure actual API compatibility
+    - name: Report failure
+      if: github.event.workflow_run.conclusion == 'failure'
       run: |
-        git config --global user.email "localrebase@k-orc.cloud"
-        git config --global user.name "Local rebase"
-        git rebase -i origin/${{ github.base_ref }}
+        gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch"
+        gh issue comment "$NUMBER" --body "$BODY"
       env:
-        GIT_SEQUENCE_EDITOR: '/usr/bin/true'
-
-    - name: Calculate go version
-      id: vars
-      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
-
-    - name: Set up Go
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
-      with:
-        go-version: ${{ steps.vars.outputs.go_version }}
-
-    - name: Checking Go API Compatibility
-      id: go-apidiff
-      # if semver=major, this will return RC=1, so let's ignore the failure so label
-      # can be set later. We check for actual errors in the next step.
-      continue-on-error: true
-      uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_REPO: ${{ github.repository }}
+        NUMBER: ${{ steps.pr.outputs.number }}
+        BODY: >
+          Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}) for details.
 
-    # go-apidiff returns RC=1 when semver=major, which makes the workflow to return
-    # a failure. Instead let's just return a failure if go-apidiff failed to run.
-    - name: Return an error if Go API Compatibility couldn't be verified
-      if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major'
-      run: exit 1
+    - name: Read semver type
+      if: github.event.workflow_run.conclusion == 'success'
+      id: semver
+      run: echo "type=$(cat semver-type)" >> $GITHUB_OUTPUT
 
     - name: Add label semver:patch
-      if: steps.go-apidiff.outputs.semver-type == 'patch'
+      if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'patch'
       run: gh pr edit "$NUMBER" --add-label "semver:patch" --remove-label "semver:major,semver:minor"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
+        NUMBER: ${{ steps.pr.outputs.number }}
 
     - name: Add label semver:minor
-      if: steps.go-apidiff.outputs.semver-type == 'minor'
+      if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'minor'
       run: gh pr edit "$NUMBER" --add-label "semver:minor" --remove-label "semver:major,semver:patch"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
+        NUMBER: ${{ steps.pr.outputs.number }}
 
     - name: Add label semver:major
-      if: steps.go-apidiff.outputs.semver-type == 'major'
+      if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'major'
       run: gh pr edit "$NUMBER" --add-label "semver:major" --remove-label "semver:minor,semver:patch"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
-
-    - name: Report failure
-      if: failure()
-      run: |
-        gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch"
-        gh issue comment "$NUMBER" --body "$BODY"
-        exit 1
-      env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
-        BODY: >
-          Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details.
+        NUMBER: ${{ steps.pr.outputs.number }}
 
   edits:
+    if: github.event_name == 'pull_request_target'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-    - uses: actions/labeler@v6
+    - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # tag=v6
diff --git a/.github/workflows/release_image.yaml b/.github/workflows/release_image.yaml
index d72e9f0cb..affdb6f3c 100644
--- a/.github/workflows/release_image.yaml
+++ b/.github/workflows/release_image.yaml
@@ -16,10 +16,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
 
     - run: |
-        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io
+        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env]
 
         docker build -t ${{ env.image_tag }} .
         docker push ${{ env.image_tag }}
diff --git a/.github/workflows/semver.yaml b/.github/workflows/semver.yaml
new file mode 100644
index 000000000..42c5d6a8c
--- /dev/null
+++ b/.github/workflows/semver.yaml
@@ -0,0 +1,68 @@
+name: Semver analysis
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+        persist-credentials: false
+
+    - name: Rebase the PR against base ref to ensure actual API compatibility
+      run: |
+        git config --global user.email "localrebase@k-orc.cloud"
+        git config --global user.name "Local rebase"
+        git rebase -i origin/$BASE_REF
+      env:
+        GIT_SEQUENCE_EDITOR: '/usr/bin/true'
+        BASE_REF: ${{ github.base_ref }}
+
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+
+    - name: Set up Go
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+
+    - name: Checking Go API Compatibility
+      id: go-apidiff
+      # if semver=major, this will return RC=1, so let's ignore the failure so label
+      # can be set later. We check for actual errors in the next step.
+      continue-on-error: true
+      uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # tag=v0.8.3
+
+    # go-apidiff returns RC=1 when semver=major, which makes the workflow to return
+    # a failure. Instead let's just return a failure if go-apidiff failed to run.
+    - name: Return an error if Go API Compatibility couldn't be verified
+      if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major'
+      run: exit 1
+
+    - name: Save semver result
+      if: always()
+      run: |
+        mkdir -p semver-results
+        echo "$SEMVER_TYPE" > semver-results/semver-type
+        echo "$PR_NUMBER" > semver-results/pr-number
+      env:
+        SEMVER_TYPE: ${{ steps.go-apidiff.outputs.semver-type }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+
+    - name: Upload semver results
+      if: always()
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7
+      with:
+        name: semver-results
+        path: semver-results/
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
index 671b53086..7716dd504 100644
--- a/.github/workflows/unit.yml
+++ b/.github/workflows/unit.yml
@@ -16,16 +16,19 @@ jobs:
           - '1'
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Calculate go version
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
 
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0
         with:
           go-version: ${{ steps.vars.outputs.go_version }}
+          cache: false
 
       - run: |
          make test