diff --git a/.github/workflows/abbreviations.yml b/.github/workflows/abbreviations.yml
index 5d91e956..e9fd0e99 100644
--- a/.github/workflows/abbreviations.yml
+++ b/.github/workflows/abbreviations.yml
@@ -13,8 +13,9 @@ jobs:
       contents: write
 
     steps:
-      - name: Checkout source
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Download VSCode abbreviations
         run: |
           gh api -H 'Accept: application/vnd.github.raw' '/repos/leanprover/vscode-lean4/contents/lean4-unicode-input/src/abbreviations.json' >vscode-lean/abbreviations.json
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c3d17aeb..81b3fcd1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Neovim
         uses: rhysd/action-setup-vim@v1
         with:
@@ -46,6 +48,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Upload to LuaRocks
         uses: nvim-neorocks/luarocks-tag-release@v7
         env:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 7b0c212a..0f627a31 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -6,8 +6,13 @@ jobs:
   docs:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: extractions/setup-just@v2
       - name: Install Neovim
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d4b7ec20..ea2fc581 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -33,3 +33,7 @@ repos:
     rev: v0.14.0
     hooks:
       - id: markdownlint-cli2
+  - repo: https://github.com/woodruffw/zizmor
+    rev: v0.2.0
+    hooks:
+      - id: zizmor