diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 17ed62ce..1a994c13 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -14,9 +14,9 @@ updates:
       day: wednesday
       time: "00:00"
 
-    # Only accept updates that have been published for at least 3 days
+    # Only accept updates that have been published for at least a week
     cooldown:
-      default-days: 3
+      default-days: 7
 
     # Create a grouped PR for minor/patch updates with majors getting dedicated PRs
     groups:
@@ -32,9 +32,9 @@ updates:
       day: wednesday
       time: "00:00"
 
-    # Only accept updates that have been published for at least 3 days
+    # Only accept updates that have been published for at least a week
     cooldown:
-      default-days: 3
+      default-days: 7
 
     # Allow usage of any registry including npm-github w/ auth as above
     registries: "*"
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 25e7f26a..cb67ee88 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   types:
     runs-on: ubuntu-latest
@@ -11,6 +14,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -36,6 +41,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -61,6 +68,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -79,3 +88,18 @@ jobs:
 
       - name: Build extension
         run: pnpm build
+
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/.github/workflows/update-pnpm.yml b/.github/workflows/update-pnpm.yml
index 848ba08c..3e61ca4e 100644
--- a/.github/workflows/update-pnpm.yml
+++ b/.github/workflows/update-pnpm.yml
@@ -6,6 +6,9 @@ on:
     # Run once per week on Monday at midnight, before Dependabot runs on Wednesday
     - cron: "0 0 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   update:
     runs-on: ubuntu-latest
@@ -13,6 +16,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8