diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9af1e9f..364ac84 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,3 +6,5 @@ updates:
       interval: "weekly"
     reviewers:
       - "maxfischer2781"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 7d71ae8..f2ddd23 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: "4 9 * * 4"
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
@@ -24,18 +26,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
-
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/gha-verification.yml b/.github/workflows/gha-verification.yml
new file mode 100644
index 0000000..fd984da
--- /dev/null
+++ b/.github/workflows/gha-verification.yml
@@ -0,0 +1,28 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read # only needed for private or internal repos
+      actions: read # only needed for private or internal repos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          inputs: |
+            .github
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 72c0fd1..77a2ac3 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -1,12 +1,5 @@
-# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 name: Upload Python Package
+permissions: {}
 
 on:
   release:
@@ -16,11 +9,19 @@ jobs:
   deploy:
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
+    environment:
+      name: pypi-publish
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -31,6 +32,3 @@ jobs:
       run: python -m build
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml
index bf61a1d..09f75c5 100644
--- a/.github/workflows/unittests.yml
+++ b/.github/workflows/unittests.yml
@@ -1,4 +1,5 @@
 name: Unit Tests
+permissions: {}
 
 on:
   push:
@@ -7,8 +8,10 @@ on:
     - cron: '0 10 * * 3,6'
 
 jobs:
-  build:
+  pytest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-version: [
@@ -17,9 +20,11 @@ jobs:
         ]
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: true
@@ -31,4 +36,4 @@ jobs:
       run: |
         pytest --durations=0 --cov=./
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v5
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2
diff --git a/.github/workflows/verification.yml b/.github/workflows/verification.yml
index fd358a4..7206cf6 100644
--- a/.github/workflows/verification.yml
+++ b/.github/workflows/verification.yml
@@ -1,4 +1,5 @@
 name: Static Checks
+permissions: {}
 
 on:
   push:
@@ -7,12 +8,16 @@ on:
     - cron: '0 10 * * 3,6'
 
 jobs:
-  build:
+  verify:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -29,4 +34,4 @@ jobs:
       run: |
         mypy --pretty
     - name: Verify with PyRight
-      uses: jakebailey/pyright-action@v3
+      uses: jakebailey/pyright-action@8ec14b5cfe41f26e5f41686a31eb6012758217ef