diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8744ed8..c4da419 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,24 +1,31 @@
 name: Release
 
-permissions:
-  contents: write
-
 on:
   push:
     tags:
       - '*'
 
+permissions: {}
+
+concurrency:
+  group: global
+  cancel-in-progress: false
+
 jobs:
   latest:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # required for gh release
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '7.4'
           tools: composer:v2
@@ -33,7 +40,10 @@ jobs:
       - name: Generate phar
         run: make dist
 
-      - name: Release
-        uses: softprops/action-gh-release@v1
-        with:
-          files: dist/roger-q.phar
+      - name: Create Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "$GITHUB_REF_NAME" ./dist/roger-q.phar \
+            --title "$GITHUB_REF_NAME" \
+            --notes "Stable release."
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index 9c91580..d28168d 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -6,6 +6,12 @@ on:
       - '*.x'
   pull_request:
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   phpstan:
     name: PHPStan
@@ -13,7 +19,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: PHPStan
         uses: docker://oskarstark/phpstan-ga
@@ -26,7 +34,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: PHP-CS-Fixer
         uses: docker://oskarstark/php-cs-fixer-ga
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..174ceb1
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,29 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+# to upgrade repository actions with a new hash, either manually look up the hash in their releases,
+# or run zizmor --fix with the --gh-token parameter to have it fetch those hashes from GitHub.
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
diff --git a/src/Command/Dedupe.php b/src/Command/Dedupe.php
index afe347f..021f8b3 100644
--- a/src/Command/Dedupe.php
+++ b/src/Command/Dedupe.php
@@ -46,7 +46,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         $output->writeln(Json::encode($cleanMessages));
 
         if ($output instanceof ConsoleOutputInterface && $output->getVerbosity() >= OutputInterface::VERBOSITY_VERBOSE) {
-            $output->getErrorOutput()->writeln(sprintf(
+            $output->getErrorOutput()->writeln(\sprintf(
                 'Removed <info>%d</info> duplicated messages out of <info>%d</info> total messages, resulting in <info>%d</info> messages',
                 $removedMessagesCount,
                 \count($messages),
@@ -79,7 +79,7 @@ private function getValuesHash(array $fields, array $data): string
     private function isDuplicatedMessage(array $fields, array $message, array &$seenValues, int $messageNum): bool
     {
         if (!\array_key_exists('payload', $message)) {
-            throw new \UnexpectedValueException(sprintf('Message #%d does not have a payload (%s)', $messageNum, Json::encode($message)));
+            throw new \UnexpectedValueException(\sprintf('Message #%d does not have a payload (%s)', $messageNum, Json::encode($message)));
         }
 
         $payload = Json::decode($message['payload'], true);
@@ -87,7 +87,7 @@ private function isDuplicatedMessage(array $fields, array $message, array &$seen
         // Check that all given fields exist in the payload:
         foreach ($fields as $field) {
             if (!\array_key_exists($field, $payload)) {
-                throw new \UnexpectedValueException(sprintf('Payload of message #%d does not have the required fields %s (%s)', $messageNum, implode(',', $fields), $message['payload']));
+                throw new \UnexpectedValueException(\sprintf('Payload of message #%d does not have the required fields %s (%s)', $messageNum, implode(',', $fields), $message['payload']));
             }
         }
 
diff --git a/src/Command/Dump.php b/src/Command/Dump.php
index f649d7c..b2a4117 100644
--- a/src/Command/Dump.php
+++ b/src/Command/Dump.php
@@ -73,7 +73,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             $data['count'] = \PHP_INT_MAX;
         }
 
-        $response = $guzzle->request('POST', sprintf('/api/queues/%s/%s/get', $vHost, $queueName), [
+        $response = $guzzle->request('POST', \sprintf('/api/queues/%s/%s/get', $vHost, $queueName), [
             RequestOptions::HEADERS => [
                 'Accept-Encoding' => 'gzip',
                 'Transfer-Encoding' => 'chunked',
@@ -90,7 +90,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         }
 
         if ($output instanceof ConsoleOutputInterface && $output->getVerbosity() >= OutputInterface::VERBOSITY_VERBOSE) {
-            $output->getErrorOutput()->writeln(sprintf(
+            $output->getErrorOutput()->writeln(\sprintf(
                 'Dumped <info>%s</info> bytes (gzip) from queue <info>%s</info>',
                 $response->hasHeader('x-encoded-content-length') ? $response->getHeaderLine('x-encoded-content-length') : 'unspecified',
                 $queueName
diff --git a/src/Command/Publish.php b/src/Command/Publish.php
index 07f317f..6fc2ddc 100644
--- a/src/Command/Publish.php
+++ b/src/Command/Publish.php
@@ -75,7 +75,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         }
 
         if ($output instanceof ConsoleOutputInterface && $output->getVerbosity() >= OutputInterface::VERBOSITY_VERBOSE) {
-            $output->getErrorOutput()->writeln(sprintf(
+            $output->getErrorOutput()->writeln(\sprintf(
                 'Published <info>%s</info> messages to queue <info>%s</info>',
                 \count($messages),
                 $queueName