diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f2d0587..63ed85e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,9 +11,21 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  prechecks:
+    uses: ./.github/workflows/pre-commit.yml
+  separate-zizmor:
+    uses: ./.github/workflows/zizmor.yml
+  all-prechecks:
+    needs: [prechecks, separate-zizmor]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Success
+        run: "true"
   nix:
+    needs: [all-prechecks]
     uses: ./.github/workflows/nix.yml
   unit-tests:
+    needs: [all-prechecks]
     uses: ./.github/workflows/test.yml
   docker:
     needs: [nix, unit-tests]
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 0000000..f16b20c
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,22 @@
+---
+name: pre-commit
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+
+concurrency:
+  group: style-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a9b9865..12f27aa 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,8 @@ concurrency:
   group: test-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   build_and_test:
     name: build and test
@@ -22,6 +24,8 @@ jobs:
           - nightly
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: clean up cargo bin dir for rustup
         run: |
           rm "${HOME}"/.cargo/bin/cargo-fmt
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..8cb531b
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,39 @@
+---
+# derived from https://woodruffw.github.io/zizmor/usage/#use-in-github-actions
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+
+concurrency:
+  group: zizmor-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..ec2d59d
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+---
+rules:
+  excessive-permissions:
+    ignore:
+      - ci.yml