diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3e57c5c..9155a67 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -12,11 +15,16 @@ on:
 jobs:
   biome:
     runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Checkout your repository using git
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Setup toolchain
-        uses: jdx/mise-action@v2
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
       - name: Install dependencies
         run: bun install --frozen-lockfile
       - name: Check using Biome
@@ -24,11 +32,16 @@ jobs:
 
   tsc:
     runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Checkout your repository using git
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Setup toolchain
-        uses: jdx/mise-action@v2
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
       - name: Install dependencies
         run: bun install --frozen-lockfile
       - name: Check using tsc
@@ -36,11 +49,16 @@ jobs:
 
   test:
     runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Checkout your repository using git
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Setup toolchain
-        uses: jdx/mise-action@v2
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
       - name: Install dependencies
         run: bun install --frozen-lockfile
       - name: Test
@@ -48,12 +66,43 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Checkout your repository using git
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Setup toolchain
-        uses: jdx/mise-action@v2
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
       - name: Install dependencies
         run: bun install --frozen-lockfile
       - name: Build
         run: bun run build
+
+  github-actions:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        task: ["actionlint", "ghalint", "zizmor"]
+      fail-fast: false
+    steps:
+      - name: Checkout your repository using git
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+      - name: Setup toolchain
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
+      - name: Run actionlint
+        if: matrix.task == 'actionlint'
+        run: actionlint
+      - name: Run ghalint
+        if: matrix.task == 'ghalint'
+        run: ghalint run
+      - name: Run zizmor
+        if: matrix.task == 'zizmor'
+        run: zizmor .
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index f12007c..9a04164 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -2,20 +2,27 @@ name: Publish package to npmjs
 on:
   release:
     types: [published]
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version-file: ".tool-versions"
           registry-url: "https://registry.npmjs.org"
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
         with:
           bun-version-file: ".tool-versions"
       - run: bun install --frozen-lockfile
       - run: npm run build
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --provenance
diff --git a/.tool-versions b/.tool-versions
index 55821cf..3b21bbf 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,2 +1,6 @@
-bun  1.2.13
-nodejs 24.12.0
+bun        1.2.13
+nodejs     24.12.0
+pinact     3.2.0
+zizmor     1.18.0
+actionlint 1.7.9
+ghalint    1.5.3