diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ef050eee..cfe4586e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 # Newest push wins: Prevents multiple runs from clashing and wasting runner efforts
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -25,6 +27,7 @@ jobs:
         # Otherwise `test_deployed_state` will be unhappy.
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
       - name: download filtermail
         run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.6.1/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
       - name: run chatmaild tests 
@@ -38,6 +41,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: initenv 
         run: scripts/initenv.sh
diff --git a/.github/workflows/docs-preview.yaml b/.github/workflows/docs-preview.yaml
index 4502ab6d..13e32bd9 100644
--- a/.github/workflows/docs-preview.yaml
+++ b/.github/workflows/docs-preview.yaml
@@ -7,6 +7,8 @@ on:
       - 'scripts/build-docs.sh'
       - '.github/workflows/docs-preview.yaml'
 
+permissions: {}
+
 jobs:
   scripts:
     name: build 
@@ -16,6 +18,8 @@ jobs:
       url: https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: initenv 
         run: scripts/initenv.sh
@@ -34,18 +38,22 @@ jobs:
       - name: Get Pullrequest ID
         id: prepare
         run: |
-          export PULLREQUEST_ID=$(echo "${{ github.ref }}" | cut -d "/" -f3)
+          export PULLREQUEST_ID=$(echo "${GITHUB_REF}" | cut -d "/" -f3)
           echo "prid=$PULLREQUEST_ID" >> $GITHUB_OUTPUT
           if [ $(expr length "${{ secrets.USERNAME }}") -gt "1" ]; then echo "uploadtoserver=true" >> $GITHUB_OUTPUT; fi
       - run: |
-          echo "baseurl: /${{ steps.prepare.outputs.prid }}" >> _config.yml
+          echo "baseurl: /${STEPS_PREPARE_OUTPUTS_PRID}" >> _config.yml
+        env:
+          STEPS_PREPARE_OUTPUTS_PRID: ${{ steps.prepare.outputs.prid }}
 
       - name: Upload preview
         run: |
           mkdir -p "$HOME/.ssh"
           echo "${{ secrets.CHATMAIL_STAGING_SSHKEY }}" > "$HOME/.ssh/key"
           chmod 600 "$HOME/.ssh/key"
-          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
+          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${STEPS_PREPARE_OUTPUTS_PRID}/"
+        env:
+          STEPS_PREPARE_OUTPUTS_PRID: ${{ steps.prepare.outputs.prid }}
 
       - name: check links 
         working-directory: doc
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 2e22bb82..17e6cdbf 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -10,6 +10,8 @@ on:
       - 'scripts/build-docs.sh'
       - '.github/workflows/docs.yaml'
 
+permissions: {}
+
 jobs:
   scripts:
     name: build 
@@ -19,6 +21,8 @@ jobs:
       url: https://chatmail.at/doc/relay/
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: initenv 
         run: scripts/initenv.sh
diff --git a/.github/workflows/zizmor-scan.yml b/.github/workflows/zizmor-scan.yml
new file mode 100644
index 00000000..af97e663
--- /dev/null
+++ b/.github/workflows/zizmor-scan.yml
@@ -0,0 +1,26 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..f4b7b94a
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        dependabot/*: ref-pin
+        chatmail/*: ref-pin