diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3fb56b5776..513dbb245c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -33,6 +33,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
diff --git a/.github/workflows/dev-publish.yml b/.github/workflows/dev-publish.yml
index a66e99ac2a..93736370f6 100644
--- a/.github/workflows/dev-publish.yml
+++ b/.github/workflows/dev-publish.yml
@@ -14,6 +14,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 22
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index ec8744ba1c..22d41b412f 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -4,17 +4,16 @@ on:
   release:
     types: [created]
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
   group: 'pages'
   cancel-in-progress: false
 
 jobs:
   deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
@@ -23,6 +22,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
       - name: Setup Pages
         uses: actions/configure-pages@v3
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 7043240a84..c03e26c177 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -16,6 +16,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 22
diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml
index a39684c4de..efd50d1000 100644
--- a/.github/workflows/osv.yml
+++ b/.github/workflows/osv.yml
@@ -21,15 +21,12 @@ on:
   push:
     branches: ['main']
 
-permissions:
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Read commit contents
-  contents: read
-
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    permissions:
+      security-events: write
+      contents: read
     uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78' # v1.7.1
     with:
       # Example of specifying custom arguments
@@ -39,6 +36,9 @@ jobs:
         ./
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    permissions:
+      security-events: write
+      contents: read
     uses: 'google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78' # v1.7.1
     with:
       # Example of specifying custom arguments
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 343810ff15..d36e35e726 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Use Node.js 22.x
         uses: actions/setup-node@v4
@@ -39,6 +41,8 @@ jobs:
       FORCE_COLOR: 3
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Use Node.js 22.x
         uses: actions/setup-node@v4
@@ -73,6 +77,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Use Node.js 22.x
         uses: actions/setup-node@v4
@@ -96,6 +102,9 @@ jobs:
     needs: build
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Use Node.js 16.x
         uses: actions/setup-node@v4
         with:
@@ -115,6 +124,9 @@ jobs:
     needs: build
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Setup Bun
         uses: antongolub/action-setup-bun@v1
       - uses: actions/download-artifact@v4
@@ -135,6 +147,8 @@ jobs:
         deno-version: [v1.x, v2.x]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Deno
         uses: denoland/setup-deno@v2
         with:
@@ -156,6 +170,8 @@ jobs:
         node-version: [12, 14, 16, 18, 20, 22, 22-nightly, 23]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v4
         with:
@@ -179,6 +195,8 @@ jobs:
         ts: [4, 5, rc]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Use Node.js 22.x
         uses: actions/setup-node@v4
         with:
diff --git a/package.json b/package.json
index 943cf1c3b5..2de575b03a 100644
--- a/package.json
+++ b/package.json
@@ -89,7 +89,8 @@
     "test:smoke:win32": "node ./test/smoke/win32.test.js",
     "test:smoke:cjs": "node ./test/smoke/node.test.cjs",
     "test:smoke:mjs": "node ./test/smoke/node.test.mjs",
-    "test:smoke:deno": "deno test ./test/smoke/deno.test.js --allow-read --allow-sys --allow-env --allow-run"
+    "test:smoke:deno": "deno test ./test/smoke/deno.test.js --allow-read --allow-sys --allow-env --allow-run",
+    "test:workflow": "zizmor .github/workflows -v -p"
   },
   "optionalDependencies": {
     "@types/fs-extra": ">=11",