diff --git a/.github/renovate.json b/.github/renovate.json
index 651ca20..3e5f756 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>Boshen/renovate"],
+  "extends": ["github>Boshen/renovate", "helpers:pinGitHubActionDigests"],
   "packageRules": [
     {
       "groupName": "npm packages",
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2c269d1..c831dc3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,7 +12,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 
diff --git a/.github/workflows/bump_oxlint.yml b/.github/workflows/bump_oxlint.yml
index d6fa7eb..6d3df6a 100644
--- a/.github/workflows/bump_oxlint.yml
+++ b/.github/workflows/bump_oxlint.yml
@@ -14,14 +14,18 @@ jobs:
   bump:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false # should be fine, we give another token for PR creation
 
       - uses: ./.github/actions/pnpm
 
       - name: Generate version ${{ inputs.version }}
+        env:
+          OXLINT_VERSION: ${{ inputs.version }}
         run: |
-          pnpm install oxlint@${{ inputs.version }}
-          pnpm run clone ${{ inputs.version }}
+          pnpm install oxlint@${OXLINT_VERSION}
+          pnpm run clone ${OXLINT_VERSION}
           pnpm run generate # Generate rules from source code
           pnpm run format # run prettier over it
 
@@ -30,7 +34,9 @@ jobs:
         run: pnpm run test -u # Update test snapshots
 
       - name: Bump oxlint rules
-        run: npm version ${{ inputs.version }} --no-git-tag-version
+        env:
+          OXLINT_VERSION: ${{ inputs.version }}
+        run: npm version ${OXLINT_VERSION} --no-git-tag-version
 
       - uses: peter-evans/create-pull-request@v7
         with:
diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml
new file mode 100644
index 0000000..5813a1c
--- /dev/null
+++ b/.github/workflows/ci_security.yml
@@ -0,0 +1,41 @@
+name: GitHub Actions Security Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - '.github/workflows/**'
+  push:
+    branches:
+      - main
+      - 'renovate/**'
+    paths:
+      - '.github/workflows/**'
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - uses: taiki-e/install-action@8c39981484df4e7ba41af8e8e078ac546d5e1b11 # v2.46.8
+        with:
+          tool: zizmor
+
+      - name: Run zizmor
+        run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index d0a598b..e4f40e2 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -12,7 +12,10 @@ jobs:
   format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: Run Format (prettier)
         run: npx prettier . --check
diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml
index bf52ff2..ca10366 100644
--- a/.github/workflows/generate.yml
+++ b/.github/workflows/generate.yml
@@ -21,7 +21,10 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 18d19a5..6590c8a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,7 +12,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 05504da..bb83da0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,9 +12,10 @@ jobs:
       contents: write
       id-token: write # for `npm publish --provenance`
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 
@@ -22,14 +23,16 @@ jobs:
         run: pnpm run build
 
       - name: Extract version from commit message
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: |
-          VERSION=$(echo "${{ github.event.head_commit.message }}" | grep -oP 'release: \Kv[0-9]+\.[0-9]+\.[0-9]+')
+          VERSION=$(echo "${COMMIT_MESSAGE}" | grep -oP 'release: \Kv[0-9]+\.[0-9]+\.[0-9]+')
           echo "VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Create and push tag
         run: |
-          git tag ${{ env.VERSION }}
-          git push origin ${{ env.VERSION }}
+          git tag ${VERSION}
+          git push origin ${VERSION}
 
       - run: npx changelogithub
         continue-on-error: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f5a628b..f5ec7e8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,7 +12,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 
diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml
index 41829b2..622d309 100644
--- a/.github/workflows/type-check.yml
+++ b/.github/workflows/type-check.yml
@@ -12,7 +12,10 @@ jobs:
   type-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm