diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7c1a9db2..bb486646 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,6 +20,8 @@ jobs:
     timeout-minutes: 2
     steps:
       - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v8.0.0
       - name: ruff check
         run: uv run ruff check --output-format=github
@@ -31,6 +33,8 @@ jobs:
     timeout-minutes: 2
     steps:
       - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - name: dprint
         uses: dprint/check@v2.3
 
@@ -39,6 +43,8 @@ jobs:
     timeout-minutes: 2
     steps:
       - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v8.0.0
         with:
           python-version: "3.12"
@@ -54,6 +60,8 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
       - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v8.0.0
         with:
           python-version: "3.12"
@@ -67,6 +75,8 @@ jobs:
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@v8.0.0
         with:
           python-version: "3.12"
diff --git a/.github/workflows/collect.yml b/.github/workflows/collect.yml
index 42aba0fb..b898b832 100644
--- a/.github/workflows/collect.yml
+++ b/.github/workflows/collect.yml
@@ -26,12 +26,15 @@ jobs:
     steps:
       - name: checkout main
         uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
 
       - name: checkout data
         uses: actions/checkout@v6.0.2
         with:
           ref: data
           path: _data
+          persist-credentials: false
 
       - uses: astral-sh/setup-uv@v8.0.0
         with:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0c8fcd0e..29f6f8a6 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -40,12 +40,15 @@ jobs:
     steps:
       - name: checkout main
         uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
 
       - name: checkout data
         uses: actions/checkout@v6.0.2
         with:
           ref: data
           path: _data
+          persist-credentials: false
 
       - uses: actions/configure-pages@v6
 
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 0182f510..df257eb0 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -21,8 +21,12 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: astral-sh/setup-uv@v8.0.0
+        with:
+          enable-cache: false
 
       - name: uv build
         run: uv build