diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml
new file mode 100644
index 0000000..6086cd4
--- /dev/null
+++ b/.github/workflows/actionci.yml
@@ -0,0 +1,22 @@
+name: Action CI
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "main"
+  pull_request:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  actionci:
+    permissions:
+      contents: read
+      security-events: write
+    uses: smallstep/workflows/.github/workflows/actionci.yml@main
+    secrets: inherit
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9df2103..39dfad7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,8 +13,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/goCI.yml@main
     with:
       only-latest-golang: true
diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
index d42e504..d4791d7 100644
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * SUN'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f7d7780..d051d5a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: smallstep/sequel/.github/workflows/ci.yml@main
@@ -14,19 +17,23 @@ jobs:
   create_release:
     name: Create Release
     needs: ci
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..3a14046
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,14 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "smallstep/*": ref-pin
+  secrets-inherit:
+    disable: true
+  ref-confusion:
+    disable: true
+  archived-uses:
+    ignore:
+      - release.yml
+  dependabot-cooldown:
+    disable: true