diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml
index 1695f4635..8e7c51cec 100644
--- a/.github/workflows/ci_cd.yml
+++ b/.github/workflows/ci_cd.yml
@@ -9,6 +9,12 @@ on:
       - "*"
     branches:
       - main
+
+
+permissions:
+  contents: read
+  pull-requests: read
+
 env:
   MAIN_PYTHON_VERSION : '3.13'
   PACKAGE_NAME: 'ansys_sphinx_theme'
@@ -28,6 +34,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: "Update labels"
         uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
@@ -88,6 +96,16 @@ jobs:
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           dev-mode: ${{ github.ref != 'refs/heads/main' }}
 
+  actions-security:
+    name: Actions Security
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
+        with:
+          generate-summary: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          auditing-level: 'high'
+
   update-changelog:
     name: "Update CHANGELOG (on release)"
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
@@ -118,6 +136,9 @@ jobs:
   doc-deploy-pr:
     name: "Deploy PR documentation"
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     needs: [doc-build]
     # Run when the PR is closed i.e. when docs job is skipped
     if: github.event.action != 'closed' && (needs.doc-build.result == 'success' || needs.doc-build.result == 'skipped')
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1a4e37fa3..b63bf6a0f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -41,3 +41,11 @@ repos:
     files: '(src|doc/source/examples)/.*\.(py)'
     args:
     - --start_year=2021
+
+- repo: https://github.com/zizmorcore/zizmor-pre-commit
+  rev: v1.12.1
+  hooks:
+    - id: zizmor
+      args:
+      - "--no-progress"
+      - "--persona=pedantic"
diff --git a/doc/changelog.d/820.maintenance.md b/doc/changelog.d/820.maintenance.md
new file mode 100644
index 000000000..ec25d056e
--- /dev/null
+++ b/doc/changelog.d/820.maintenance.md
@@ -0,0 +1 @@
+Add \`zizmor\` security actions