diff --git a/.config/zizmor.yml b/.config/zizmor.yml
new file mode 100644
index 0000000..6cf41d7
--- /dev/null
+++ b/.config/zizmor.yml
@@ -0,0 +1,4 @@
+---
+rules:
+  secrets-outside-env:
+    disable: true
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 1ef8c07..6035326 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -16,16 +16,19 @@ env:
   RUSTC_WRAPPER: sccache
   IN_CI: "true"
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo and build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
       - name: Run sccache
-        uses: mozilla-actions/sccache-action@v0.0.7
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
       - name: Build
         run: make build
 
@@ -33,17 +36,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo and build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
       - name: Run sccache
-        uses: mozilla-actions/sccache-action@v0.0.7
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
       - name: rustfmt nightly
         run: |
           rustup toolchain install nightly-x86_64-unknown-linux-gnu
           rustup component add rustfmt --toolchain nightly-x86_64-unknown-linux-gnu
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.13"
       - name: Install pre-commit
@@ -55,20 +59,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo and build scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
       - name: Run sccache
-        uses: mozilla-actions/sccache-action@v0.0.7
-      - name: Install grcov
-        run: cargo install grcov
-      - name: Add llvm-tools
-        run: rustup component add llvm-tools-preview
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
+      - name: Install cargo-nextest
+        uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81  # v2.70.0
+        with:
+          tool: cargo-nextest
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81  # v2.70.0
+        with:
+          tool: cargo-llvm-cov
       - name: Test
-        run: make test
-      - name: Compute coverage
-        run: make cover
+        run: make test cover
       - name: Upload coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2  # v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index affcf76..91fddfa 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -20,3 +20,11 @@ repos:
     hooks:
       - id: fmt
         args: ['--', '--unstable-features']
+  - repo: "https://github.com/zizmorcore/zizmor-pre-commit"
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
+        args:
+          - --fix=all
+          - --config
+          - .config/zizmor.yml
diff --git a/build b/build
index bb4ea7b..68b8d86 160000
--- a/build
+++ b/build
@@ -1 +1 @@
-Subproject commit bb4ea7b928a3a0e59cf04f4fa420ee616014f7a0
+Subproject commit 68b8d863b90df7199ac45322e7612dd5d1494971