diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
index ee8433d34..5ee573650 100644
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@@ -28,7 +28,12 @@ jobs:
     analysis:
         runs-on: ubuntu-latest
         steps:
-            -   name: Setup variables
+            - name: Disabled on forks
+              if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+              run: |
+                  echo 'Can not analyze PRs from forks'
+                  exit 1
+            -   name: Setup variables # zizmor: ignore[template-injection]
                 id: get-vars
                 run: |
                     if [ -z "$GITHUB_HEAD_REF" ]; then
@@ -48,6 +53,7 @@ jobs:
                     fi
             -   uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                 with:
+                    persist-credentials: false
                     repository: ${{ steps.get-vars.outputs.repo }}
                     ref: ${{ steps.get-vars.outputs.branch }}
             -   name: Set up JDK 17
diff --git a/.github/workflows/autoApproveSync.yml b/.github/workflows/autoApproveSync.yml
index 738cf4131..c215be0b3 100644
--- a/.github/workflows/autoApproveSync.yml
+++ b/.github/workflows/autoApproveSync.yml
@@ -6,7 +6,7 @@
 
 name: Auto approve sync
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     branches:
       - master
       - main
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 12d024a99..9ef033b32 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -35,6 +35,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set Swap Space
         if: runner.environment == 'github-hosted'
         uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c # v1.0
diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml
index 7d4966907..98e9fada7 100644
--- a/.github/workflows/pr-feedback.yml
+++ b/.github/workflows/pr-feedback.yml
@@ -36,7 +36,7 @@ jobs:
           blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -)
           echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT"
 
-      - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4
+      - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main
         with:
           feedback-message: |
             Hello there,
diff --git a/.github/workflows/renovate-approve-merge.yml b/.github/workflows/renovate-approve-merge.yml
index 48b98e91a..ccfed3974 100644
--- a/.github/workflows/renovate-approve-merge.yml
+++ b/.github/workflows/renovate-approve-merge.yml
@@ -9,7 +9,7 @@
 name: Auto approve renovate PRs
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     branches:
       - main
       - master
@@ -24,7 +24,7 @@ concurrency:
 
 jobs:
   auto-approve-merge:
-    if: github.actor == 'renovate[bot]'
+    if: github.event.pull_request.user.login == 'renovate[bot]'
     runs-on: ubuntu-latest
     permissions:
       # for hmarr/auto-approve-action to approve PRs
@@ -52,7 +52,7 @@ jobs:
 
       # Enable GitHub auto merge
       - name: Auto merge
-        uses: alexwilson/enable-github-automerge-action@main
+        uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0
         if: startsWith(steps.branchname.outputs.branch, 'renovate/')
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}