diff --git a/.github/workflows/_reusable_cdk_synth.yml b/.github/workflows/_reusable_cdk_synth.yml
index 4319701..c72f0ec 100644
--- a/.github/workflows/_reusable_cdk_synth.yml
+++ b/.github/workflows/_reusable_cdk_synth.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/_reusable_check.yml b/.github/workflows/_reusable_check.yml
index de895c7..c5bb2bb 100644
--- a/.github/workflows/_reusable_check.yml
+++ b/.github/workflows/_reusable_check.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/_reusable_deploy.yml b/.github/workflows/_reusable_deploy.yml
index 40cb9a9..3781d14 100644
--- a/.github/workflows/_reusable_deploy.yml
+++ b/.github/workflows/_reusable_deploy.yml
@@ -16,6 +16,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/_reusable_lambda_rie_test.yml b/.github/workflows/_reusable_lambda_rie_test.yml
index 57ec191..a287964 100644
--- a/.github/workflows/_reusable_lambda_rie_test.yml
+++ b/.github/workflows/_reusable_lambda_rie_test.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/on-pull_request.yml b/.github/workflows/on-pull_request.yml
index 6def5fd..3540a83 100644
--- a/.github/workflows/on-pull_request.yml
+++ b/.github/workflows/on-pull_request.yml
@@ -2,6 +2,9 @@ name: on Pull Request
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
diff --git a/.github/workflows/on-push-to-main.yml b/.github/workflows/on-push-to-main.yml
index 7dcd2b8..4573450 100644
--- a/.github/workflows/on-push-to-main.yml
+++ b/.github/workflows/on-push-to-main.yml
@@ -4,6 +4,10 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+  id-token: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -11,4 +15,6 @@ concurrency:
 jobs:
   deploy:
     uses: ./.github/workflows/_reusable_deploy.yml
-    secrets: inherit
+    secrets:
+      SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+      SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..39d1b18
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true