diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 83cbce290..8118c2c5d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,7 +46,7 @@ jobs:
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true
@@ -100,7 +100,7 @@ jobs:
         with:
           python-version: "${{ matrix.python-version }}"
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true
@@ -392,7 +392,7 @@ jobs:
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true
@@ -540,7 +540,7 @@ jobs:
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true
diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml
index 3711d3f6e..585bd3260 100644
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@@ -6,6 +6,9 @@ on:
   push:
     paths: ['src/locale/**', 'src-ui/messages.xlf', 'src-ui/src/locale/**']
     branches: [dev]
+permissions:
+  contents: write
+  pull-requests: write
 jobs:
   synchronize-with-crowdin:
     name: Crowdin Sync
@@ -14,8 +17,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@v2.7.0
         with:
           upload_translations: false
           download_translations: true
diff --git a/.github/workflows/repo-maintenance.yml b/.github/workflows/repo-maintenance.yml
index 61b86a0d2..2493afb67 100644
--- a/.github/workflows/repo-maintenance.yml
+++ b/.github/workflows/repo-maintenance.yml
@@ -12,6 +12,9 @@ concurrency:
 jobs:
   stale:
     name: 'Stale'
+    permissions:
+      issues: write
+      pull-requests: write
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
@@ -27,6 +30,10 @@ jobs:
 
   lock-threads:
     name: 'Lock Old Threads'
+    permissions:
+      issues: write
+      pull-requests: write
+      discussions: write
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
@@ -47,6 +54,8 @@ jobs:
 
   close-answered-discussions:
     name: 'Close Answered Discussions'
+    permissions:
+      discussions: write
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
     steps:
diff --git a/.github/workflows/translate-strings.yml b/.github/workflows/translate-strings.yml
index 4a4ae1885..a1e50d65d 100644
--- a/.github/workflows/translate-strings.yml
+++ b/.github/workflows/translate-strings.yml
@@ -15,6 +15,7 @@ jobs:
         with:
           token: ${{ secrets.PNGX_BOT_PAT }}
           ref: ${{ github.head_ref }}
+          persist-credentials: true
       - name: Set up Python
         id: setup-python
         uses: actions/setup-python@v5
@@ -23,7 +24,7 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -qq --no-install-recommends gettext
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
         with:
           enable-cache: true
       - name: Install backend python dependencies
@@ -34,7 +35,7 @@ jobs:
       - name: Generate backend translation strings
         run: cd src/ && uv run manage.py makemessages -l en_US -i "samples*"
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v4.1.0
         with:
           version: 10
       - name: Use Node.js 20
@@ -61,7 +62,7 @@ jobs:
           cd src-ui
           pnpm run ng extract-i18n
       - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403  # v5.2.0
         with:
           file_pattern: 'src-ui/messages.xlf src/locale/en_US/LC_MESSAGES/django.po'
           commit_message: "Auto translate strings"
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 000000000..8416f1f48
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,8 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        crowdin/github-action: ref-pin
+        astral-sh/setup-uv: ref-pin
+        pnpm/action-setup: ref-pin
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a20ed19d7..a16f703ba 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -48,6 +48,10 @@ repos:
         additional_dependencies:
           - prettier@3.3.3
           - 'prettier-plugin-organize-imports@4.1.0'
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.6.0
+    hooks:
+    - id: zizmor
   # Python hooks
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.9.9