diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d7ebdbf..5fd269d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,16 +1,20 @@
 version: 2
 updates:
-    # Maintain dependencies for GitHub Actions.
-    - package-ecosystem: "github-actions"
-      directory: "/"
-      schedule:
-          interval: "daily"
-      # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581
-      open-pull-requests-limit: 0
+  # Maintain dependencies for GitHub Actions.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
+    ignore:
+      - dependency-name: "yiisoft/*"
 
-    # Maintain dependencies for Composer
-    - package-ecosystem: "composer"
-      directory: "/"
-      schedule:
-          interval: "daily"
-      versioning-strategy: increase-if-necessary
+  # Maintain dependencies for Composer
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+        interval: "daily"
+    versioning-strategy: increase-if-necessary
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/bechmark.yml b/.github/workflows/bechmark.yml
index 3e4b5fd..01ad5f2 100644
--- a/.github/workflows/bechmark.yml
+++ b/.github/workflows/bechmark.yml
@@ -24,6 +24,8 @@ on:
 
 name: bechmark
 
+permissions:
+  contents: read
 jobs:
   phpbench:
     name: PHP ${{ matrix.php }}
@@ -39,21 +41,26 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          persist-credentials: false
 
       - name: Check if we need to create a baseline for a PR
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.ref }}" != "refs/heads/${{ github.event.repository.default_branch }}" ]]; then
+          if [[ "${{ github.event_name }}" == "pull_request" && "${GITHUB_REF}" != "refs/heads/${GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH}" ]]; then
             echo "WITH_BENCH_BASELINE=1" >> $GITHUB_ENV
           else
             echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV
           fi
+        env:
+          GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
 
       - name: "Baseline creation: Checkout default branch."
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         if: ${{ env.WITH_BENCH_BASELINE == '1' }}
         with:
           ref: ${{ github.event.repository.default_branch }}
+          persist-credentials: false
 
       - name: Build
         if: ${{ env.WITH_BENCH_BASELINE == '1' }}
@@ -72,11 +79,12 @@ jobs:
         run: echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV
 
       - name: "Pull request: Checkout head."
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         if: ${{ github.event_name == 'pull_request' }}
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           clean: false
+          persist-credentials: false
 
       - name: "Pull request: Build"
         if: ${{ github.event_name == 'pull_request' }}
@@ -86,7 +94,7 @@ jobs:
       - name: "Run PhpBench."
         working-directory: ./tests
         run: |
-          if [ "${{ env.WITH_BENCH_BASELINE }}" == '1' ]; then
+          if [ "${WITH_BENCH_BASELINE}" == '1' ]; then
             docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' --ref=default --assert="mode(variant.time.avg) <= mode(baseline.time.avg) +/- 10%" > phpbench.log
           else
             docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' > phpbench.log
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c0234dd..b5c3396 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,6 +22,8 @@ on:
 
 name: build
 
+permissions:
+  contents: read
 jobs:
   phpunit:
     name: PHP ${{ matrix.php }}
@@ -32,7 +34,9 @@ jobs:
         php: [ 81, 82, 83, 84 ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
+        with:
+          persist-credentials: false
       - name: Build
         working-directory: ./tests
         run: docker compose build
diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml
index 857295f..05fafe5 100644
--- a/.github/workflows/composer-require-checker.yml
+++ b/.github/workflows/composer-require-checker.yml
@@ -24,6 +24,8 @@ on:
 
 name: Composer require checker
 
+permissions:
+  contents: read
 jobs:
   composer-require-checker:
     uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master
diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml
index 2f41299..864cc43 100644
--- a/.github/workflows/mutation.yml
+++ b/.github/workflows/mutation.yml
@@ -22,6 +22,8 @@ on:
 
 name: Mutation test
 
+permissions:
+  contents: read
 jobs:
   mutation:
     name: PHP ${{ matrix.php }}-${{ matrix.os }}
@@ -42,10 +44,12 @@ jobs:
 
     steps:
       - name: Checkout.
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        with:
+          persist-credentials: false
 
       - name: Install PHP with extensions.
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45
         with:
           php-version: ${{ matrix.php }}
           ini-values: memory_limit=-1
diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml
index 5d6931d..ebc6d37 100644
--- a/.github/workflows/rector.yml
+++ b/.github/workflows/rector.yml
@@ -1,5 +1,5 @@
 on:
-  pull_request_target:
+  pull_request:
     paths-ignore:
       - 'docs/**'
       - 'README.md'
@@ -11,13 +11,12 @@ on:
 
 name: rector
 
+permissions:
+  contents: read
 jobs:
   rector:
     uses: yiisoft/actions/.github/workflows/rector.yml@master
-    secrets:
-      token: ${{ secrets.YIISOFT_GITHUB_TOKEN }}
     with:
-      repository: ${{ github.event.pull_request.head.repo.full_name }}
       os: >-
         ['ubuntu-latest']
       php: >-
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index b56464d..c0b8262 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -22,6 +22,8 @@ on:
 
 name: static analysis
 
+permissions:
+  contents: read
 jobs:
   psalm:
     uses: yiisoft/actions/.github/workflows/psalm.yml@master
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..430255d
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,22 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - '.github/**.yml'
+      - '.github/**.yaml'
+  pull_request:
+    paths:
+      - '.github/**.yml'
+      - '.github/**.yaml'
+
+permissions:
+  actions: read # Required by zizmor when reading workflow metadata through the API.
+  contents: read # Required to read workflow files.
+
+jobs:
+  zizmor:
+    uses: yiisoft/actions/.github/workflows/zizmor.yml@master