diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 78b9bdd..b98b74f 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -1,15 +1,19 @@
 name: "CLA Assistant"
 
+# NOTE: This workflow runs against PR *target* branches, not against the source branches.
+#       This ensures modified code cannot be executed with the workflow's permissions.
+#       It's still easier to misuse than most potential triggers, hence the zizmor warning.
+
 on:
   issue_comment:
     types: [created]
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types: [opened, closed, synchronize, labeled]  # Added "labeled" event to check for label changes
   workflow_dispatch:  # Allow manual triggering of the workflow
   
 permissions:
   actions: write
-  contents: write
+  contents: read  # Signatures are stored in a dedicated repository
   pull-requests: write
   statuses: write
   checks: write
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0c3cf88..3abfc50 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+# Require explicit job permissions
+permissions: {}
 
 jobs:
   pypi-publish:
diff --git a/.github/workflows/scan-workflows.yml b/.github/workflows/scan-workflows.yml
index 084a876..8e7a7c9 100644
--- a/.github/workflows/scan-workflows.yml
+++ b/.github/workflows/scan-workflows.yml
@@ -11,15 +11,15 @@ on:
       branches:
         - main
 
+# Require explicit job permissions
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      # required for workflows in private repositories
-      contents: read
-      actions: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -34,9 +34,8 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    # TODO: upload results once the repository is public
-    #   - name: Upload SARIF file
-    #     uses: github/codeql-action/upload-sarif@v3
-    #     with:
-    #       sarif_file: results.sarif
-    #       category: zizmor
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e2a971b..d4c1b1e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,9 @@ on:
     branches:
       - main
 
+# Require explicit job permissions
+permissions: {}
+
 defaults:
   run:
     # Use the Git for Windows bash shell, rather than supporting Powershell