diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d0afca3..186cd5d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,20 +16,19 @@ updates:
     patterns: ["*"]
     multi-ecosystem-group: wrapper-dependencies
     cooldown:
-      default-days: 3
+      default-days: 7
 
   - package-ecosystem: docker
     directory: "/"
     patterns: ["*"]
     multi-ecosystem-group: wrapper-dependencies
     cooldown:
-      default-days: 3
+      default-days: 7
 
   - package-ecosystem: bun
     directory: "/"
     patterns: ["*"]
     multi-ecosystem-group: wrapper-dependencies
     cooldown:
-      semver-patch-days: 2
-      semver-minor-days: 3
+      default-days: 7
       semver-major-days: 14
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 10c2424..3acb66b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,8 +6,11 @@ on:
       - main
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
+
+concurrency:
+  group: ci-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   validate:
diff --git a/.github/workflows/update-opencode-release.yml b/.github/workflows/update-opencode-release.yml
index bdfb75a..de1a69e 100644
--- a/.github/workflows/update-opencode-release.yml
+++ b/.github/workflows/update-opencode-release.yml
@@ -10,8 +10,7 @@ on:
   schedule:
     - cron: "17 0 * * *"
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: update-opencode-release
@@ -20,6 +19,8 @@ concurrency:
 jobs:
   update-opencode:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     environment: automation
 
     steps:
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 97e5ff6..1ad49ef 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -3,12 +3,13 @@ name: Validate
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   runtime-config-regression:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out repository
@@ -31,6 +32,8 @@ jobs:
 
   build-compat-tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out repository
@@ -62,6 +65,8 @@ jobs:
 
   actionlint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out repository
@@ -87,12 +92,14 @@ jobs:
         uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
           advanced-security: false
-          inputs: .github/workflows
-          min-severity: medium
+          inputs: .github
+          min-severity: low
           min-confidence: medium
 
   shellcheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Check out repository
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..42f1a8f
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,15 @@
+rules:
+  forbidden-uses:
+    config:
+      allow:
+        - actions/checkout
+        - actions/create-github-app-token
+        - docker/build-push-action
+        - docker/login-action
+        - docker/metadata-action
+        - docker/setup-buildx-action
+        - docker/setup-qemu-action
+        - oven-sh/setup-bun
+        - peter-evans/create-pull-request
+        - rhysd/actionlint
+        - zizmorcore/zizmor-action