diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
new file mode 100644
index 0000000..524c89f
--- /dev/null
+++ b/.github/workflows/lint.yaml
@@ -0,0 +1,18 @@
+name: Lint
+
+on: pull_request
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  lint:
+    uses: masterpointio/actions/.github/workflows/lint.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0
+    permissions:
+      actions: read # for trunk-action
+      checks: write # for trunk-action
+      contents: read # for trunk-action + checkout
+      pull-requests: read # for action-semantic-pull-request
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
deleted file mode 100644
index 5cb3e10..0000000
--- a/.github/workflows/lint.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-name: Lint
-
-concurrency:
-  group: lint-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on: pull_request
-
-permissions:
-  actions: read
-  checks: write
-  contents: read
-  pull-requests: read
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out Git repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Trunk Check
-        uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4
-
-  conventional-title:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
new file mode 100644
index 0000000..6db8410
--- /dev/null
+++ b/.github/workflows/release-please.yaml
@@ -0,0 +1,25 @@
+name: Create Release via Google Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  release-please:
+    uses: masterpointio/actions/.github/workflows/release-please.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0
+    with:
+      release-type: simple
+    secrets:
+      MP_BOT_APP_ID: ${{ secrets.MP_BOT_APP_ID }}
+      MP_BOT_APP_PRIVATE_KEY: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+    permissions:
+      contents: write # needed by release-please-action
+      pull-requests: write # needed by release-please-action
+      issues: write # needed by release-please-action
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
deleted file mode 100644
index 37cd37b..0000000
--- a/.github/workflows/release-please.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-name: Create Release via Google Release Please
-
-on:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  release-please:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
-        with:
-          release-type: simple
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yaml
similarity index 73%
rename from .github/workflows/test.yml
rename to .github/workflows/test.yaml
index 147ba59..721e660 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yaml
@@ -2,17 +2,25 @@ name: Tests
 
 on: pull_request
 
-permissions:
-  contents: read
-  checks: write
-  pull-requests: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
   test-typescript:
+    name: test-typescript
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # needed by actions/checkout
+      checks: write # needed by jest-coverage-report-action
+      pull-requests: write # needed by jest-coverage-report-action
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
@@ -27,11 +35,16 @@ jobs:
   test-action-on-itself:
     name: Test the GitHub Action on itself
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # needed by actions/checkout
+      pull-requests: write # needed to post PR comments
 
     steps:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Test Local Action (Individual File Mode)
         id: test-action-opa-files
diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml
new file mode 100644
index 0000000..e8f1856
--- /dev/null
+++ b/.github/workflows/trunk-upgrade.yaml
@@ -0,0 +1,34 @@
+name: Trunk Upgrade
+
+on:
+  workflow_call:
+    secrets:
+      MP_BOT_APP_ID:
+        required: true
+      MP_BOT_APP_PRIVATE_KEY:
+        required: true
+      MASTERPOINT_TEAM_PAT:
+        required: true
+
+permissions: {}
+
+jobs:
+  trunk-upgrade:
+    name: trunk upgrade
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed by github-action-trunk-upgrade to write repository contents
+      pull-requests: write # needed by github-action-trunk-upgrade to write pull requests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Trunk Upgrade
+        uses: masterpointio/github-action-trunk-upgrade@a79fd65d524d92031fe167daee411d2f25d4a999 # v0.1.0
+        with:
+          app-id: ${{ secrets.MP_BOT_APP_ID }}
+          app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+          github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }}
+          reviewers: "@masterpointio/masterpoint-open-source"
diff --git a/.github/workflows/trunk-upgrade.yml b/.github/workflows/trunk-upgrade.yml
deleted file mode 100644
index aa1e059..0000000
--- a/.github/workflows/trunk-upgrade.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Trunk Upgrade
-
-on:
-  schedule:
-    # On the first day of every month @ 8am
-    - cron: 0 8 1 * *
-  workflow_dispatch: {}
-
-permissions: read-all
-
-jobs:
-  trunk-upgrade:
-    runs-on: ubuntu-latest
-    permissions:
-      # For trunk to create PRs
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
-
-      - name: Upgrade
-        uses: trunk-io/trunk-action/upgrade@86b68ffae610a05105e90b1f52ad8c549ef482c2 #v1.1.16
-        with:
-          reviewers: "@masterpointio/masterpoint-internal"
-          prefix: "chore: "
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index 43b0365..a3db8ac 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -7,7 +7,7 @@ cli:
 plugins:
   sources:
     - id: trunk
-      ref: v1.7.6
+      ref: v1.10.1
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
@@ -33,6 +33,19 @@ lint:
     - trivy@0.69.2
     - trufflehog@3.90.13
     - yamllint@1.38.0
+    - zizmor@1.25.2
+  definitions:
+    - name: zizmor
+      environment:
+        # Optional token here so that it's not needed locally, but can be used
+        # when trunk is called from our lint workflow in GHA
+        - name: ZIZMOR_GITHUB_TOKEN
+          value: ${env.GITHUB_TOKEN}
+          optional: true
+      commands:
+        # Set to pedantic so that zizmor will run its stale-action-refs audit rule
+        - name: lint
+          run: zizmor --format=sarif --persona=pedantic ${target}
 actions:
   enabled:
     - trunk-announce