diff --git a/.github/workflows/check_commit_messages.yml b/.github/workflows/check_commit_messages.yml
index 70f1dd7d1e..a4594d611c 100644
--- a/.github/workflows/check_commit_messages.yml
+++ b/.github/workflows/check_commit_messages.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-commit-prefix:
     if: startsWith(github.event.pull_request.base.ref, 'stable/')
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 0000000000..8d1b34ed48
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        psf/*: ref-pin