diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6d99f77..a9d3941 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,10 @@ on:
       - "release/[0-9]+.[0-9]+.[0-9]+"
 
 name: Deploy Extension
+
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -13,18 +17,22 @@ jobs:
         id: releaseMode
         # perform secret check & put boolean result as an output
         shell: bash
+        env:
+          GIT_REF: ${{ github.ref }}
         run: |
-          if [[ "${{ github.ref }}" = "refs/tags/dryrun"* ]]; then
+          if [[ "$GIT_REF" = "refs/tags/dryrun"* ]]; then
             echo "dryRun=true" >> $GITHUB_OUTPUT;
           else
             echo "dryRun=false" >> $GITHUB_OUTPUT;
           fi
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - run: npm ci
       - name: Publish to Open VSX Registry
         if: success() || failure()
-        uses: HaaLeo/publish-vscode-extension@v1
+        uses: HaaLeo/publish-vscode-extension@f4ece70f329f66686bd71c54b1671353fe320e49 # v1
         id: publishToOpenVSX
         with:
           dryRun: ${{ steps.releaseMode.outputs.dryRun }}
@@ -33,7 +41,7 @@ jobs:
           skipDuplicate: true
       - name: Publish to Visual Studio Marketplace
         if: success() || failure()
-        uses: HaaLeo/publish-vscode-extension@v1
+        uses: HaaLeo/publish-vscode-extension@f4ece70f329f66686bd71c54b1671353fe320e49 # v1
         with:
           dryRun: ${{ steps.releaseMode.outputs.dryRun }}
           extensionFile: ${{ steps.publishToOpenVSX.outputs.vsixPath }}
@@ -42,7 +50,7 @@ jobs:
           registryUrl: https://marketplace.visualstudio.com
           skipDuplicate: true
       - name: Github Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         if: ${{ ! steps.releaseMode.outputs.dryRun }}
         with:
           body: |
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..f3a4117
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  secrets-outside-env:
+    disable: true
+  cache-poisoning:
+    ignore:
+      - publish.yml