diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 63e9b6d26..ad39dd8a2 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Build Docker images
 
 # This matches the Docker image building done in the release process.
@@ -17,6 +16,8 @@ on:
     - cron: 0 1 * * *
   workflow_dispatch: {}
 
+permissions: {}
+
 jobs:
   build:
     name: Build Docker images
@@ -31,6 +32,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c850e0fad..12b738ab7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Lint
 
 on:
@@ -13,9 +12,10 @@ on:
     - cron: 0 1 * * *
   workflow_dispatch: {}
 
+permissions: {}
+
 jobs:
   build:
-
     strategy:
       matrix:
         python-version: ['3.13']
@@ -25,6 +25,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9cd203fa1..8ae91c012 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,4 @@
 ---
-
 name: Release
 
 on: workflow_dispatch
@@ -29,6 +28,7 @@ jobs:
           # Also, avoids
           # https://github.com/stefanzweifel/git-auto-commit-action/issues/99.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 992027cdc..386db8031 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,6 +16,8 @@ on:
 # workflows. We therefore want to run only one workflow at a time.
 concurrency: vuforia_credentials
 
+permissions: {}
+
 jobs:
   # CI tests with matrix
   ci-tests:
@@ -117,6 +119,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -186,6 +190,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -229,6 +235,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -269,6 +277,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
diff --git a/.prettierrc b/.prettierrc
index 3ab9aa054..4a36aae89 100644
--- a/.prettierrc
+++ b/.prettierrc
@@ -3,7 +3,8 @@
     {
       "files": ["*.yaml", "*.yml"],
       "options": {
-        "singleQuote": true
+        "singleQuote": true,
+        "printWidth": 100
       }
     }
   ]
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 000000000..f63e179d2
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,12 @@
+---
+rules:
+  unpinned-uses:
+    disable: true
+  cache-poisoning:
+    disable: true
+  bot-conditions:
+    disable: true
+  dependabot-cooldown:
+    disable: true
+  template-injection:
+    disable: true