diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eb8b999..d4cdac9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,8 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   build:
     name: Build source distribution
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1a21574..a3ebec0 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   build:
 
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index c09cf12..5c7ec52 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -27,6 +27,6 @@ jobs:
           enable-cache: false
 
       - name: Run zizmor
-        run: uvx zizmor --format plain .
+        run: uvx zizmor@1.2.2 --format plain .
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}