diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4f6ff3f..c810caf 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,6 @@ updates:
     directory: ".github/actions/core" # Location of package manifests
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
+      semver-major-days: 14
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 72dc78e..67f1984 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -2,8 +2,7 @@ name: Build & Test
 
 on:
   pull_request:
-    branches:
-      - main
+    branches: [main]
     types:
       - opened
       - synchronize
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ccd9c0e..ef65240 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@
 
 name: "CodeQL Advanced"
 
-on:
+on:  # zizmor: ignore[pull-request-target]
   push:
     branches: [main]
   pull_request:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 69b574b..46fdafb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
 
             - name: Generate Changelog
               id: changelog
-              uses: mikepenz/release-changelog-builder-action@v6
+              uses: mikepenz/release-changelog-builder-action@348e88fab4c37338b1e803ceb2d4a7a5db6c0833 # v6
               with:
                   configuration: "configuration.json"
                   mode: "COMMIT"
@@ -171,7 +171,7 @@ jobs:
                   git push -f origin "v$MAJOR_VERSION"
 
             - name: Create Release
-              uses: softprops/action-gh-release@v3
+              uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
               with:
                   tag_name: "v${{ inputs.version }}"
                   name: "v${{ inputs.version }}"