diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index 48c7ae2..4adc84a 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -4,8 +4,12 @@
 name: Commitlint
 'on': [pull_request]
 
+permissions: {}
+
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -13,4 +17,5 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: wagoid/commitlint-github-action@a85daedc64529d02d566e7f83c3c48c77e78af85 # v1
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3b34bd6..ad0bdf9 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }}
 
+permissions: {}
+
 jobs:
   should-run:
     name: Prep / Should run
@@ -24,10 +26,14 @@ jobs:
     needs: should-run
     if: fromJSON(needs.should-run.outputs.should-run)
     container: techneg/ci-pre-commit:v2.5.26@sha256:46f3dbce03b7446d3f5ed4f45303eb0035dfd1d090e89d7a83e2e55f172bbd17
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Export `CI_CACHE_ID` from container
         run: echo "CI_CACHE_ID=$(cat /.ci_cache_id)" >> $GITHUB_ENV
       - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
diff --git a/.github/workflows/safe-settings.yml b/.github/workflows/safe-settings.yml
new file mode 100644
index 0000000..b35ebf8
--- /dev/null
+++ b/.github/workflows/safe-settings.yml
@@ -0,0 +1,62 @@
+name: Apply Safe Settings
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: Whether to run in `dry-run` mode or not
+        required: false
+        type: boolean
+        default: true
+
+permissions: {}
+
+jobs:
+  apply-safe-settings:
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    env:
+      # Version/tag of `github/safe-settings` repository to use:
+      SAFE_SETTINGS_VERSION: 2.1.18
+
+      # Path on GHA runner box where safe-settings code downloaded to:
+      SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code
+    steps:
+      # Self-checkout of 'admin' repo for access to safe-settings deployment configuration
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      # Checkout of `safe-settings` source repository to apply all settings
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          repository: github/safe-settings
+          ref: ${{ env.SAFE_SETTINGS_VERSION }}
+          path: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+          persist-credentials: false
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - run: npm install
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+      - name: Run Safe-Settings Full-Sync
+        run: |
+          set +e  # Allow commands to fail
+          npm run full-sync
+          exit_code=$?
+          echo "Full-sync exit code: $exit_code"
+
+          if [[ "$FULL_SYNC_NOP" == "true" ]]; then
+            echo "Dry-run mode — ignoring failure"
+            exit 0
+          fi
+
+          exit $exit_code
+        working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
+        env:
+          APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
+          ADMIN_REPO: ${{ vars.SAFE_SETTINGS_ADMIN_REPO || '.github' }}
+          CONFIG_PATH: ${{ vars.SAFE_SETTINGS_CONFIG_PATH || 'safe-settings' }}
+          DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/${{ vars.SAFE_SETTINGS_CONFIG_PATH || 'safe-settings' }}/deployment-settings.yml
+          FULL_SYNC_NOP: ${{ inputs.dry-run }}
+          GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
+          LOG_LEVEL: ${{ vars.SAFE_SETTINGS_LOG_LEVEL || 'debug' }}
+          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 03069ba..5308e3a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,8 +14,13 @@ repos:
     rev: 0.36.0
     hooks:
       - id: check-github-workflows
-        name: Check GitHub workflows with check-jsonschema
+        name: Check GitHub Actions workflows with check-jsonschema
         args: ["--verbose"]
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
+        name: Check GitHub Actions workflows with zizmor
   - repo: https://github.com/renovatebot/pre-commit-hooks
     rev: 42.84.0
     hooks:
diff --git a/safe-settings/settings.yml b/safe-settings/settings.yml
new file mode 100644
index 0000000..2dbe5a8
--- /dev/null
+++ b/safe-settings/settings.yml
@@ -0,0 +1,5 @@
+repository:
+  topics:
+    - template
+    - salt-formula
+    - saltstack-formula