diff --git a/.github/workflows/address-sanitizer.yml b/.github/workflows/address-sanitizer.yml
index dde5bcc..552615f 100644
--- a/.github/workflows/address-sanitizer.yml
+++ b/.github/workflows/address-sanitizer.yml
@@ -4,6 +4,7 @@ on:
   pull_request:
   schedule:
     - cron: '13 15 * * SUN'
+permissions: {}
 jobs:
   build:
     name: Address Sanitizer
diff --git a/.github/workflows/clang-analyzer.yml b/.github/workflows/clang-analyzer.yml
index 1c5460f..0fd30ab 100644
--- a/.github/workflows/clang-analyzer.yml
+++ b/.github/workflows/clang-analyzer.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   clang-analyzer:
     name: Clang Static Analysis
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e9969c7..7c36265 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: '0 18 * * 0'
 
+permissions: {}
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5f13aac..fd62a89 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,8 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   build_wheels:
     name: Build wheels on ${{ matrix.os }}
diff --git a/.github/workflows/test-libmaxminddb.yml b/.github/workflows/test-libmaxminddb.yml
index 73c78b2..0b44861 100644
--- a/.github/workflows/test-libmaxminddb.yml
+++ b/.github/workflows/test-libmaxminddb.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   build:
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c1f91ac..500d20c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   build:
 
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index c09cf12..5c7ec52 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -27,6 +27,6 @@ jobs:
           enable-cache: false
 
       - name: Run zizmor
-        run: uvx zizmor --format plain .
+        run: uvx zizmor@1.2.2 --format plain .
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}