diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c5feb066bfa46..7b388f714bf31 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: "CodeQL"
 
 on:
@@ -23,18 +26,21 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
       - name: Checkout vcpkg
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           path: "build/vcpkg"
           repository: "microsoft/vcpkg"
           fetch-depth: 0
+          persist-credentials: false
       - name: Checkout pinned vcpkg version
         run: >
           git -C build/vcpkg checkout -q $(<ci/etc/vcpkg-version.txt)
       - name: cache-vcpkg
         id: cache-vcpkg
-        uses: actions/cache@v6
+        uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6
         with:
           path: |
             ~/.cache/vcpkg
@@ -66,7 +72,7 @@ jobs:
             --clean-after-build
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
         with:
           languages: ${{ matrix.language }}
 
@@ -86,4 +92,4 @@ jobs:
           cmake --build build/output
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
diff --git a/.github/workflows/external-account-integration.yml b/.github/workflows/external-account-integration.yml
index e71e0cd871292..834aa6d9a2532 100644
--- a/.github/workflows/external-account-integration.yml
+++ b/.github/workflows/external-account-integration.yml
@@ -35,11 +35,12 @@ jobs:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref || github.sha }}
+        persist-credentials: false
     # Use BYOID identity and run the integration test
     - id: byoid-auth
       if: '!github.event.pull_request.head.repo.fork'
       name: 'Authenticate to GCP'
-      uses: 'google-github-actions/auth@v3'
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
       with:
         create_credentials_file: true
         workload_identity_provider: 'projects/49427430084/locations/global/workloadIdentityPools/github-wif-pool/providers/github-wif-provider'
diff --git a/.github/workflows/macos-bazel.yml b/.github/workflows/macos-bazel.yml
index f54d6921f2d6c..c65f8ad34b22d 100644
--- a/.github/workflows/macos-bazel.yml
+++ b/.github/workflows/macos-bazel.yml
@@ -37,10 +37,11 @@ jobs:
           targets:
           - //google/cloud/storage/...
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.bazel-cache-mode == 'READ_WRITE' }}
       with:
         create_credentials_file: true
@@ -48,8 +49,10 @@ jobs:
     - name: Install bash >= 5.x
       run: brew install bash
     - name: Pre Tests Disk Space
+      # zizmor: ignore[template-injection]
       run: df -m
     - name: Build google-cloud-cpp
+      # zizmor: ignore[template-injection]
       run: |
         export BAZEL_REMOTE_CACHE_RW_MODE=${{ inputs.bazel-cache-mode }}
         export EXECUTE_INTEGRATION_TESTS=${{ inputs.execute-integration-tests }}
diff --git a/.github/workflows/macos-cmake.yml b/.github/workflows/macos-cmake.yml
index 98019d784953b..dce9f80f397c8 100644
--- a/.github/workflows/macos-cmake.yml
+++ b/.github/workflows/macos-cmake.yml
@@ -62,16 +62,17 @@ jobs:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.sccache-mode == 'READ_WRITE' && inputs.vcpkg-cache-mode == 'readwrite' }}
       with:
         create_credentials_file: true
         credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       id: py311
       with:
         python-version: '3.14'
-    - uses: google-github-actions/setup-gcloud@v2
+    - uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
       env:
         CLOUDSDK_PYTHON: ${{ steps.py311.outputs.python-path }}
     - name: Dynamic Configuration
diff --git a/.github/workflows/test-runner.yml b/.github/workflows/test-runner.yml
index 925f2f5d47d1d..937449f4830da 100644
--- a/.github/workflows/test-runner.yml
+++ b/.github/workflows/test-runner.yml
@@ -1,8 +1,11 @@
+permissions:
+  contents: read
+
 name: "gha: macOS & Windows"
 
 # Build on pull requests and pushes to `main`. The PR builds will be
 # non-blocking for now, but that is configured elsewhere.
-on:
+on: # zizmor: ignore[dangerous-triggers]
   # Start these builds on pushes (think "after the merge") too. Normally there
   # are no `ci-gha**` branches in our repository. The contributors to the repo
   # can create such branches when testing or troubleshooting builds. In such
@@ -52,8 +55,11 @@ jobs:
     outputs:
       checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
     steps:
+      # zizmor: ignore[template-injection]
       - name: Save Pull Request
         id: save-pull-request
+        # zizmor: ignore[template-injection]
+        # zizmor: ignore[template-injection]
         run: >
           echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT
 
@@ -65,29 +71,29 @@ jobs:
   macos-bazel:
     name: macOS-Bazel
     needs: [pre-flight]
-    uses: ./.github/workflows/macos-bazel.yml
+    uses: ./.github/workflows/macos-bazel.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       bazel-cache-mode: 'READ_WRITE'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
   windows-bazel:
     # Disabled
     if: false
     name: Windows-Bazel
     needs: [pre-flight]
-    uses: ./.github/workflows/windows-bazel.yml
+    uses: ./.github/workflows/windows-bazel.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       bazel-cache-mode: 'READ_WRITE'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
   macos-cmake:
     # Disabled
     if: false
     name: macOS-CMake
     needs: [pre-flight]
-    uses: ./.github/workflows/macos-cmake.yml
+    uses: ./.github/workflows/macos-cmake.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       # Build the full matrix only on push events to the default branch, or
@@ -102,11 +108,11 @@ jobs:
       sccache-mode: 'READ_WRITE'
       vcpkg-cache-mode: 'readwrite'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
   windows-cmake:
     name: Windows-CMake
     needs: [pre-flight]
-    uses: ./.github/workflows/windows-cmake.yml
+    uses: ./.github/workflows/windows-cmake.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       # Build the full matrix only on push events to the default branch, or
@@ -121,4 +127,4 @@ jobs:
       sccache-mode: 'READ_WRITE'
       vcpkg-cache-mode: 'readwrite'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
diff --git a/.github/workflows/windows-bazel.yml b/.github/workflows/windows-bazel.yml
index 90e04ce16444d..8515d20694866 100644
--- a/.github/workflows/windows-bazel.yml
+++ b/.github/workflows/windows-bazel.yml
@@ -40,10 +40,11 @@ jobs:
           targets:
           - //google/cloud/storage/...
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.bazel-cache-mode == 'READ_WRITE' }}
       with:
         create_credentials_file: true
diff --git a/.github/workflows/windows-cmake.yml b/.github/workflows/windows-cmake.yml
index 735bf2b8997be..985e9786b01c0 100644
--- a/.github/workflows/windows-cmake.yml
+++ b/.github/workflows/windows-cmake.yml
@@ -68,16 +68,17 @@ jobs:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.sccache-mode == 'READ_WRITE' && inputs.vcpkg-cache-mode == 'readwrite' }}
       with:
         create_credentials_file: true
         credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       id: py311
       with:
         python-version: '3.14'
-    - uses: google-github-actions/setup-gcloud@v2
+    - uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
       env:
         CLOUDSDK_PYTHON: ${{ steps.py311.outputs.python-path }}
     - name: Dynamic Configuration