diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index ebfbc88..6787e71 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -15,26 +15,32 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true  # Needed to push the tag
 
       - name: Get current version
         id: version
         run: |
           VERSION=$(cat VERSION)
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Check if tag already exists
         id: checktag
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          if git rev-parse "v${{ steps.version.outputs.version }}" >/dev/null 2>&1; then
-            echo "skip=true" >> $GITHUB_OUTPUT
+          if git rev-parse "${VERSION}" >/dev/null 2>&1; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
           else
-            echo "skip=false" >> $GITHUB_OUTPUT
+            echo "skip=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Push tag
         if: steps.checktag.outputs.skip == 'false'
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git tag "${{ steps.version.outputs.version }}"
-          git push origin "${{ steps.version.outputs.version }}"
+          git tag "${VERSION}"
+          git push origin "${VERSION}"
diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
index b1aabe0..7569945 100644
--- a/.github/workflows/check-for-updates.yml
+++ b/.github/workflows/check-for-updates.yml
@@ -5,9 +5,13 @@ on:
     - cron: '0 9 * * *'  # Runs daily at 9AM UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check-pr-exists:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     outputs:
       pr_exists: ${{ steps.check_pr_exists.outputs.pr_exists }}
     steps:
@@ -16,15 +20,15 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PR_EXISTS=$(gh pr --repo $GITHUB_REPOSITORY \
+          PR_EXISTS=$(gh pr --repo "$GITHUB_REPOSITORY" \
                       list --search "Update tzdata to version" \
                       --json number --jq '.[] | .number')
           if [ -n "$PR_EXISTS" ]; then
             echo "A PR updating the tzdata version already exists: https://github.com/python/tzdata/pulls/${PR_EXISTS}"
-            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_exists=true" >> "$GITHUB_OUTPUT"
             exit 0
           else
-            echo "pr_exists=false" >> $GITHUB_OUTPUT
+            echo "pr_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
   check-for-updates:
@@ -39,6 +43,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1  # Shallow clone to save time
+          persist-credentials: true  # Needed to push the update
 
       - name: Set up Python 3.12
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -62,7 +67,7 @@ jobs:
           # Check for changes
           if git diff --quiet; then
             echo "No changes detected."
-            echo "CHANGES_DETECTED=false" >> $GITHUB_ENV
+            echo "CHANGES_DETECTED=false" >> "$GITHUB_ENV"
             exit 0
           fi
 
@@ -75,11 +80,11 @@ jobs:
             exit 1
           fi
 
-          if [ $(echo "$news_files" | wc -l) -ne 1 ]; then
+          if [ "$(echo "$news_files" | wc -l)" -ne 1 ]; then
             echo "More than one new file added in news.d, failing the job."
             exit 1
           fi
-          echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
+          echo "CHANGES_DETECTED=true" >> "$GITHUB_ENV"
 
           # Extract TZDATA_VERSION from filename
           TZDATA_VERSION=$(basename "$news_files" .md)
@@ -87,7 +92,7 @@ jobs:
           # Extract TZDATA_NEWS from file content
           TZDATA_NEWS=$(cat "$news_files")
 
-          echo "TZDATA_VERSION=$TZDATA_VERSION" >> $GITHUB_ENV
+          echo "TZDATA_VERSION=$TZDATA_VERSION" >> "$GITHUB_ENV"
           {
             echo "TZDATA_NEWS<<EOF"
             echo "$TZDATA_NEWS"
@@ -111,5 +116,5 @@ jobs:
           gh pr create --title "Update tzdata to version $TZDATA_VERSION" \
             --body "$TZDATA_NEWS" \
             --base master \
-            --head $(git rev-parse --abbrev-ref HEAD) \
+            --head "$(git rev-parse --abbrev-ref HEAD)" \
             --label "automatic-updates"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b1c855b..3348356 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -25,6 +25,8 @@ jobs:
       id-token: write
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 29afba6..20eb70c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tests:
 
@@ -25,9 +27,11 @@ jobs:
     env:
       TOXENV: py
     container:
-      image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}
+      image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}  # zizmor: ignore[unpinned-images]
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - if: ${{ !matrix.use-container }}
       name: Set up Python ${{ matrix.python-version }} on ${{ matrix.os }} (non-containers)
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -52,6 +56,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: ${{ matrix.toxenv }}
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1782fa1..b7994f7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,12 +1,12 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 25.9.0
+    rev: 26.3.1
     hooks:
       - id: black
         language_version: "python3.12"
 
   - repo: https://github.com/pycqa/isort
-    rev: 7.0.0
+    rev: 8.0.1
     hooks:
       - id: isort
         additional_dependencies: [ toml ]
@@ -18,7 +18,28 @@ repos:
       - id: trailing-whitespace
       - id: debug-statements
 
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.12
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/asottile/setup-cfg-fmt
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
     -   id: setup-cfg-fmt
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes