diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 82e3f38..ff916e7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,18 +5,37 @@ on:
             - "main"
     pull_request:
 
+permissions: {}
+
 jobs:
     build:
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
-            - uses: actions/checkout@v4
-            - uses: prefix-dev/setup-pixi@v0.9.3
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+              with:
+                  persist-credentials: false
+            - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3
               with:
                   pixi-version: latest
             - run: pixi run mkdocs build
-            - uses: actions/upload-artifact@v4
+            - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: Website
                   path: ./site
                   if-no-files-found: error
                   retention-days: 3
+    zizmor:
+        name: GHA Security Analysis using Zizmor
+        runs-on: ubuntu-latest
+        permissions:
+            security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
+
+            - name: Run zizmor
+              uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index 7bbe2ee..e43f915 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -12,16 +12,18 @@ jobs:
     deploy:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+              with:
+                  persist-credentials: false
             - name: Configure Git Credentials
               run: |
                   git config user.name github-actions[bot]
                   git config user.email 41898282+github-actions[bot]@users.noreply.github.com
-            - uses: prefix-dev/setup-pixi@v0.9.3
+            - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3
               with:
                   pixi-version: latest
             - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
-            - uses: actions/cache@v4
+            - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
               with:
                   key: mkdocs-material-${{ env.cache_id }}
                   path: .cache
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f2e3541..0f0f58d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -29,3 +29,8 @@ repos:
           - id: prettier
             exclude: "^docs/talks/assets/.*"
             args: ["--tab-width", "4"]
+    - repo: https://github.com/zizmorcore/zizmor-pre-commit
+      rev: v1.25.2
+      hooks:
+          - id: zizmor
+            args: ["--offline"]