diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d942da5..9761fa1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +1,11 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    open-pull-requests-limit: 10
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     labels:
       - "area/dependencies"
       - "bot"
diff --git a/.github/workflows/.pr-assign-author.yml b/.github/workflows/.pr-assign-author.yml
index 3f124d2..a806bd9 100644
--- a/.github/workflows/.pr-assign-author.yml
+++ b/.github/workflows/.pr-assign-author.yml
@@ -1,17 +1,51 @@
 name: .pr-assign-author
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
     types:
       - opened
       - reopened
 
 jobs:
-  run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
+  assign-author:
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       pull-requests: write
+    steps:
+      -
+        name: Assigning author to PR
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            try {
+              const dt = context.payload?.pull_request;
+              if (!dt) {
+                throw new Error(`No pull request payload found, skipping.`);
+              }
+            
+              const { assignees, number, user: { login: author, type } } = dt;
+              if (assignees.length > 0) {
+                throw new Error(`Pull request is already assigned to someone, skipping.`);
+              } else if (type !== 'User') {
+                throw new Error(`Not a user, skipping.`);
+              }
+            
+              const respAdd = await github.rest.issues.addAssignees({
+                ...context.repo,
+                issue_number: number,
+                assignees: [author]
+              });
+              core.debug(`addAssignees resp: ${JSON.stringify(respAdd, null, 2)}`);
+              if (respAdd.status !== 201) {
+                throw new Error(`Failed to assign @${author} to the pull request #${number}.`);
+              }
+            
+              core.info(`@${author} has been assigned to the pull request #${number}`);
+            } catch (e) {
+              core.warning(e.message);
+            }
diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
index 6264422..f568c33 100644
--- a/.github/workflows/.test-bake.yml
+++ b/.github/workflows/.test-bake.yml
@@ -1,5 +1,9 @@
 name: .test-bake
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml
index 1775397..aaaebe7 100644
--- a/.github/workflows/.test-build.yml
+++ b/.github/workflows/.test-build.yml
@@ -1,5 +1,9 @@
 name: .test-build
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml
new file mode 100644
index 0000000..56ff04f
--- /dev/null
+++ b/.github/workflows/.zizmor.yml
@@ -0,0 +1,65 @@
+name: .zizmor
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  ZIZMOR_VERSION: 1.22.0 # https://github.com/zizmorcore/zizmor
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      TMPDIR: /tmp/zizmor
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      -
+        name: Setup uv
+        uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
+        with:
+          enable-cache: false
+      -
+        name: Install zizmor
+        run: |
+          set -ex
+          uv tool install zizmor@${ZIZMOR_VERSION}
+      -
+        name: Run zizmor
+        id: zizmor
+        run: |
+          mkdir -p ${TMPDIR}
+          set -ex
+          zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Zizmor crash report
+        if: ${{ failure() && steps.zizmor.conclusion == 'failure' }}
+        run: |
+          cat ${TMPDIR}/report-*.toml
+      -
+        name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
+        with:
+          sarif_file: ${{ env.TMPDIR }}/zizmor.sarif
+          category: zizmor
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..efe8dec
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,9 @@
+rules:
+  # rule does not apply to reusable worfklows where permissions are defined by
+  # the caller workflow and not the reusable workflow itself: https://github.com/docker/github-builder/issues/24
+  # https://docs.zizmor.sh/audits/#excessive-permissions
+  excessive-permissions:
+    ignore:
+      - bake.yml
+      - build.yml
+      - verify.yml