diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0626eb89..9a16081b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
       - run: dnf install -y git make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           make test-deps
@@ -27,6 +29,8 @@ jobs:
     steps:
       - run: dnf install -y git make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           make build-deps
@@ -45,6 +49,8 @@ jobs:
     steps:
       - run: dnf install -y make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           make test-deps
diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
index 834feade..6a2deb08 100644
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - run: dnf install -y make git
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: make build-deps
       - name: Build RPM
@@ -56,6 +58,8 @@ jobs:
           path: "securedrop-yum-test"
           lfs: true
           token: ${{ secrets.PUSH_TOKEN }}
+          # We need to store credentials here
+          persist-credentials: true
       - name: Commit and push
         run: |
           git config --global user.email "securedrop@freedom.press"
diff --git a/Makefile b/Makefile
index 8c7e00f2..a5506597 100644
--- a/Makefile
+++ b/Makefile
@@ -210,7 +210,7 @@ venv: ## Provision a Python 3 virtualenv for development (ensure to also install
 check: lint test ## Runs linters and tests
 
 .PHONY: lint
-lint: check-ruff mypy rpmlint shellcheck ## Runs linters (ruff, mypy, rpmlint, and shellcheck)
+lint: check-ruff mypy rpmlint shellcheck zizmor ## Runs all linters
 
 .PHONY: test-launcher
 test-launcher: ## Runs launcher tests
@@ -238,6 +238,10 @@ rpmlint: ## Runs rpmlint on the spec file
 shellcheck: ## Runs shellcheck on all shell scripts
 	./scripts/shellcheck.sh
 
+.PHONY: zizmor
+zizmor: ## Lint GitHub Actions workflows
+	poetry run zizmor .
+
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" to parse lines for make targets.
 # 2. Check for second field matching, skip otherwise.
diff --git a/poetry.lock b/poetry.lock
index e5c928d4..c3288578 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand.
 
 [[package]]
 name = "chardet"
@@ -482,7 +482,30 @@ files = [
     {file = "typing_extensions-4.12.2.tar.gz", hash = "sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8"},
 ]
 
+[[package]]
+name = "zizmor"
+version = "0.10.0"
+description = "Static analysis for GitHub Actions"
+optional = false
+python-versions = "*"
+files = [
+    {file = "zizmor-0.10.0-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:ffdacfddbb4eb4cbb0126e3875eb21a453414be47fe423824fdf1946fff9cc02"},
+    {file = "zizmor-0.10.0-py3-none-macosx_11_0_arm64.whl", hash = "sha256:948eda1c8a33ac28946972f4672fddd09dd9ad793934b6f5d572b74acce1ec15"},
+    {file = "zizmor-0.10.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1c64fcd25149107aa6a5435fa2cf909b8fd92af2a7dfb8650aad59a1eb10f35e"},
+    {file = "zizmor-0.10.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b88048c5b11af489ff37ff064fdd9a9cad6ea9cc34e8c25a9d2e196819859cf1"},
+    {file = "zizmor-0.10.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ecac7a28aef6c7e058e0292da6f04345cfd21d36def7acff0038500544bd48c1"},
+    {file = "zizmor-0.10.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:85da4c1dd42b031aad3550024c6f9d2525668f04285b4280454c278153383e59"},
+    {file = "zizmor-0.10.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:01743f434d8dacd3d4009999e92ddf2952c2138bfc10ab2eb1e2e592f31cb0a2"},
+    {file = "zizmor-0.10.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:4894141e6f0adb4821d377aad91cbcb699c88ae5c816267189926b2d40becdd3"},
+    {file = "zizmor-0.10.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d74ec6b1547f529756315238805fdfb58b59b09b6b7b85b49d38a68dc96aa706"},
+    {file = "zizmor-0.10.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:514c5f0e104008884e4e0a2cdd1ad4cc63fc280791f43a8521f3fb96a7f264af"},
+    {file = "zizmor-0.10.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:c9319af1c1806525aa18501488be2f9ba9f03b16ce8cb1c10e98b563e89aacfc"},
+    {file = "zizmor-0.10.0-py3-none-win32.whl", hash = "sha256:20eb70b037116ef29f4b90f298801f3cccb54f0a04e3454ae0ee31e70d554d77"},
+    {file = "zizmor-0.10.0-py3-none-win_amd64.whl", hash = "sha256:7d74d430feb5c0a28fba3a200eac1ae6ce7e7ecbf593f386149f9c41fa02aeea"},
+    {file = "zizmor-0.10.0.tar.gz", hash = "sha256:7bbf8275ac411682200217a60a3f8ce8bf3b545ff9a1ea3c2d26436ad4ca81e1"},
+]
+
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.11"
-content-hash = "3fbe1d6b3e7da910b03f8f0af3e3956bd830f11db10a331ca2c9569ac657e4d2"
+content-hash = "94fa2d8bd83a193dad931dea5be685e5ae3885321bd8d5a0bec61ea104ee7dd0"
diff --git a/pyproject.toml b/pyproject.toml
index d47b0b3c..171119c1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -25,6 +25,7 @@ types-setuptools = "^75.6.0"
 ruff = "^0.8.3"
 python-debian = "^0.1.49"
 pysequoia = "^0.1.25"
+zizmor = "*"
 
 [tool.ruff]
 line-length = 100