diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index d5016aa..2fa0c68 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -7,6 +7,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 3
     groups:
       all:
         update-types:
@@ -16,6 +18,8 @@ updates:
     directory: "./"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 3
     groups:
       all:
         update-types:
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
index 4185ebd..4975012 100644
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -5,15 +5,9 @@ name: Action Lint
 on:
   pull_request:
     branches: ['main']
-    paths:
-      - '.github/workflows/**'
-      - '.github/actions/**'
 
   push:
     branches: ['main']
-    paths:
-      - '.github/workflows/**'
-      - '.github/actions/**'
 
 permissions: {}
 
diff --git a/.github/workflows/presubmit-testing.yaml b/.github/workflows/presubmit-testing.yaml
index 4cc48ab..dbfdc1e 100644
--- a/.github/workflows/presubmit-testing.yaml
+++ b/.github/workflows/presubmit-testing.yaml
@@ -25,6 +25,8 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
@@ -40,26 +42,29 @@ jobs:
     - name: Check default permissions
       env:
         GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        REPO_NAME: ${{ github.event.repository.name }}
       run: |
         go run . repo \
-          --organization ${{ github.repository_owner }} \
-          --repository ${{ github.event.repository.name }} \
+          --organization "${GITHUB_REPOSITORY_OWNER}" \
+          --repository "${REPO_NAME}" \
           default-permissions
 
     - name: Check for deploy keys
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        REPO_NAME: ${{ github.event.repository.name }}
       run: |
         go run . repo \
-          --organization ${{ github.repository_owner }} \
-          --repository ${{ github.event.repository.name }} \
+          --organization "${GITHUB_REPOSITORY_OWNER}" \
+          --repository "${REPO_NAME}" \
           deploy-keys
 
     - name: Check branch protections
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        REPO_NAME: ${{ github.event.repository.name }}
       run: |
         go run . repo \
-          --organization ${{ github.repository_owner }} \
-          --repository ${{ github.event.repository.name }} \
+          --organization "${GITHUB_REPOSITORY_OWNER}" \
+          --repository "${REPO_NAME}" \
           branch-protections
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index ea7a039..e582ce5 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -9,11 +9,15 @@ on:
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/dependabot.yaml'
+      - '.github/zizmor.yml'
   push:
     branches: ['main']
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/dependabot.yaml'
+      - '.github/zizmor.yml'
 
 permissions: {}
 
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..d38b2c9
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,15 @@
+# Copyright 2026 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+rules:
+  # Paired with `cooldown.default-days: 3` in .github/dependabot.yaml.
+  dependabot-cooldown:
+    config:
+      days: 3
+  # Cosmetic pedantic-only findings — suppressed across the campaign.
+  anonymous-definition:
+    disable: true
+  undocumented-permissions:
+    disable: true
+  concurrency-limits:
+    disable: true