diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/audit-actions.yaml
similarity index 59%
rename from .github/workflows/actionlint.yaml
rename to .github/workflows/audit-actions.yaml
index 0406ea1..290d17a 100644
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/audit-actions.yaml
@@ -1,4 +1,4 @@
-name: Lint GitHub Actions
+name: Audit GitHub Actions
 
 on:
   pull_request:
@@ -8,12 +8,14 @@ on:
       - reopened
     paths:
       - '.github/**'
+      - 'action.yaml'
   push:
     branches:
       - main
       - 'releases/*'
     paths:
       - '.github/**'
+      - 'action.yaml'
 
 permissions:
   contents: read
@@ -27,6 +29,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup
         with:
@@ -34,3 +38,17 @@ jobs:
 
       - name: Run actionlint
         run: actionlint -color
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/setup
+        with:
+          install: 'false'
+
+      - name: Run zizmor
+        run: zizmor .
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 724cebc..da1bda4 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -25,6 +25,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: ./.github/actions/setup
 
@@ -38,6 +39,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup
 
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 30429d3..3b6863b 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -35,6 +35,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup
 
diff --git a/mise.toml b/mise.toml
index 383ad48..239f74c 100644
--- a/mise.toml
+++ b/mise.toml
@@ -2,3 +2,4 @@
 actionlint = "1.7.12"
 node = "24.15.0"
 pnpm = "11.0.9"
+zizmor = "1.25.2"