diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index dec69fb0a..b6300b1a2 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -66,7 +66,7 @@ jobs:
           ref: refs/tags/v${{ env.YARA_X_RELEASE }}
       - name: Install Rust for yara-x-capi
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
         with:
           toolchain: stable
       - name: Cache Rust dependencies
@@ -80,16 +80,18 @@ jobs:
           restore-keys: rust-cargo-
       - name: Build yara-x-capi
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
+        env:
+          WORKSPACE: ${{ github.workspace }}
         run: |
           command -v cargo-cinstall || cargo install cargo-c --locked
-          cd ${{ github.workspace }}/yara-x
+          cd "${WORKSPACE}/yara-x"
           RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization \
             --profile release-lto \
-            --pkgconfigdir=${{ github.workspace }}/yara-x-install \
-            --includedir=${{ github.workspace }}/yara-x-install \
-            --libdir=${{ github.workspace }}/yara-x-install \
+            --pkgconfigdir="${WORKSPACE}/yara-x-install" \
+            --includedir="${WORKSPACE}/yara-x-install" \
+            --libdir="${WORKSPACE}/yara-x-install" \
             --crt-static --library-type="staticlib"
-          rm -rf ${{ github.workspace }}/yara-x
+          rm -rf "${WORKSPACE}/yara-x"
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml
index 5a3fb1401..e8d3ddfca 100644
--- a/.github/workflows/digestabot.yaml
+++ b/.github/workflows/digestabot.yaml
@@ -36,7 +36,7 @@ jobs:
             release-assets.githubusercontent.com:443
             tuf-repo-cdn.sigstore.dev:443
 
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
 
       - uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts
diff --git a/.github/workflows/fuzz.yaml b/.github/workflows/fuzz.yaml
index ab73e3214..da8979b0a 100644
--- a/.github/workflows/fuzz.yaml
+++ b/.github/workflows/fuzz.yaml
@@ -125,7 +125,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -170,6 +170,8 @@ jobs:
       # -parallel=1 is used for now due to this: https://github.com/golang/go/issues/56238
       - name: Run fuzzer - ${{ matrix.target.test }}
         env:
+          FUZZ_TARGET: ${{ matrix.target.test }}
+          FUZZ_PACKAGE: ${{ matrix.target.package }}
           FUZZ_TIME: ${{ inputs.fuzz_time || '30s' }}
         run: |
-          go test -parallel=1 -timeout 0 -fuzz="^${{ matrix.target.test }}$" -fuzztime="${FUZZ_TIME}" "${{ matrix.target.package }}"
+          go test -parallel=1 -timeout 0 -fuzz="^${FUZZ_TARGET}$" -fuzztime="${FUZZ_TIME}" "${FUZZ_PACKAGE}"
diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml
index c09651316..9aae3f3a0 100644
--- a/.github/workflows/go-tests.yaml
+++ b/.github/workflows/go-tests.yaml
@@ -41,7 +41,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -92,7 +92,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 595a61409..da2aac489 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -29,7 +29,7 @@ jobs:
             github.com:443
             octo-sts.dev:443
             release-assets.githubusercontent.com:443
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
index f58b699ae..70cdc5ce6 100644
--- a/.github/workflows/style.yaml
+++ b/.github/workflows/style.yaml
@@ -188,7 +188,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git ${{ env.GO_RELEASE }} nodejs yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git "${GO_RELEASE}" nodejs "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/third-party.yaml b/.github/workflows/third-party.yaml
index fed88fad5..0868ad9d3 100644
--- a/.github/workflows/third-party.yaml
+++ b/.github/workflows/third-party.yaml
@@ -40,8 +40,8 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add bash curl findutils gh git gnutar ${{ env.GO_RELEASE }} nodejs perl upx xz yara-x~${{ env.YARA_X_RELEASE }}
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+          apk add bash curl findutils gh git gnutar "${GO_RELEASE}" nodejs perl upx xz "yara-x~${YARA_X_RELEASE}"
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts
diff --git a/.github/workflows/update-yara-x.yaml b/.github/workflows/update-yara-x.yaml
index f6c88092c..75435e113 100644
--- a/.github/workflows/update-yara-x.yaml
+++ b/.github/workflows/update-yara-x.yaml
@@ -46,6 +46,7 @@ jobs:
         id: check
         env:
           GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
         run: |
           CURRENT=$(grep '^YARA_X_VERSION' Makefile | head -1 | sed 's/.*= *//')
           echo "Current version: ${CURRENT}"
@@ -68,7 +69,7 @@ jobs:
 
           # Skip if there is already an open PR for this version
           VERSION="${LATEST#v}"
-          EXISTING=$(gh pr list --repo "${{ github.repository }}" --head "bump-yara-x-${VERSION}" --state open --json number --jq 'length')
+          EXISTING=$(gh pr list --repo "${REPOSITORY}" --head "bump-yara-x-${VERSION}" --state open --json number --jq 'length')
           if [[ "${EXISTING}" -gt 0 ]]; then
             echo "Open PR already exists for yara-x ${VERSION}"
             echo "update_available=false" >> "$GITHUB_OUTPUT"
@@ -111,7 +112,7 @@ jobs:
             sum.golang.org:443
             tuf-repo-cdn.sigstore.dev:443
 
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts
diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml
index ceb0ab9d1..eb17f7ae9 100644
--- a/.github/workflows/version.yaml
+++ b/.github/workflows/version.yaml
@@ -39,7 +39,7 @@ jobs:
             rekor.sigstore.dev:443
             release-assets.githubusercontent.com:443
             tuf-repo-cdn.sigstore.dev:443
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index 876f948e3..ba8512a36 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -9,11 +9,15 @@ on:
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/dependabot.yml'
+      - '.github/zizmor.yml'
   push:
     branches: ['main']
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/dependabot.yml'
+      - '.github/zizmor.yml'
 
 permissions: {}
 
@@ -42,3 +46,5 @@ jobs:
 
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          persona: pedantic
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 000000000..778c52520
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,16 @@
+# Copyright 2026 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+rules:
+  dependabot-cooldown:
+    config:
+      days: 3
+  # Pedantic-only; no security impact — cosmetic/style findings
+  anonymous-definition:
+    disable: true
+  undocumented-permissions:
+    disable: true
+  # Pedantic-only; low security value but noisy
+  # Address concurrency limits as a separate, dedicated effort if desired
+  concurrency-limits:
+    disable: true