diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index 5fce3b5aec07d..cfc59a3f7095a 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -23,6 +23,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   PACKAGE_NAME: ruff
   MODULE_NAME: ruff
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index cab62cd9d64f6..6f5fb1051fcdc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,5 +1,7 @@
 name: CI
 
+permissions: {}
+
 on:
   push:
     branches: [main]
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 5e738105ef981..383dcea02fbd6 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -10,3 +10,10 @@ rules:
     ignore:
       - build-docker.yml
       - publish-playground.yml
+  excessive-permissions:
+    # it's hard to test what the impact of removing these ignores would be
+    # without actually running the release workflow...
+    ignore:
+      - build-docker.yml
+      - publish-playground.yml
+      - publish-docs.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 154c8bf7c2d05..377dd838c6071 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -91,7 +91,7 @@ repos:
   # zizmor detects security vulnerabilities in GitHub Actions workflows.
   # Additional configuration for the tool is found in `.github/zizmor.yml`
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.1.1
+    rev: v1.2.2
     hooks:
       - id: zizmor