diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..2ed61128
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        codecov/codecov-action: ref-pin
diff --git a/pyproject.toml b/pyproject.toml
index 46145ee4..36cdfe32 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -63,8 +63,9 @@ xdist = [
     "pytest-xdist",
 ]
 linting = [
-    "ruff==0.9.5",
     "mypy==1.15.0",
+    "ruff==0.9.5",
+    "zizmor==1.9.0",
 ]
 [project.urls]
 Documentation = "https://pytest-django.readthedocs.io/"
diff --git a/tox.ini b/tox.ini
index a892c38e..fe0e228b 100644
--- a/tox.ini
+++ b/tox.ini
@@ -48,6 +48,7 @@ commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
+    zizmor --persona=regular .github/workflows/deploy.yml .github/workflows/main.yml
 
 [testenv:doc8]
 basepython = python3