diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index d167ff6..fdf9cd8 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -1,3 +1,4 @@
+---
 name: Release
 
 on:
@@ -5,6 +6,8 @@ on:
     branches:
       - master
 
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a79149..4dac859 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,8 @@ concurrency:
   group: ci-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   prechecks:
     uses: ./.github/workflows/pre-commit.yml
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 1892c22..f16b20c 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -9,6 +9,8 @@ concurrency:
   group: style-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 9fbf8c3..70104cb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,7 +16,7 @@ repos:
     hooks:
       - id: validate_manifest
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v0.10.0
+    rev: v1.2.2
     hooks:
       - id: zizmor
         args: [--persona=pedantic]