diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63290c7..0b7b466 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,10 +19,16 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces.
+      # specify that we want the v1 branch.
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@refs/heads/v1
         with:
-          bundler-cache: true
           ruby-version: ruby
 
-      - uses: rubygems/release-gem@v1
+      # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces.
+      # specify that we want the v1 branch.
+      - uses: rubygems/release-gem@refs/heads/v1
diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml
index 95cff91..6369b49 100644
--- a/.github/workflows/rubocop.yml
+++ b/.github/workflows/rubocop.yml
@@ -11,8 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+        with:
+          persist-credentials: false
+
+      # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces.
+      # specify that we want the v1 branch.
+      - uses: ruby/setup-ruby@refs/heads/v1
         with:
           ruby-version: 3.4
+
       - run: bundle install
       - run: bundle exec rake -t rubocop
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b9a44d8..93415e6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,8 +29,13 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
-      - uses: ruby/setup-ruby@v1
+          persist-credentials: false
+
+      # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces.
+      # specify that we want the v1 branch.
+      - uses: ruby/setup-ruby@refs/heads/v1
         with:
           ruby-version: ${{ matrix.version }}
+
       - run: bundle install
       - run: bundle exec rake -t test
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..c09cf12
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,32 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: false
+
+      - name: Run zizmor
+        run: uvx zizmor --format plain .
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}