diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index d55bcb6..a0bc7cd 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -21,7 +21,9 @@ jobs:
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
     # Unroll pre-commit/actions as currently it references actions/cache without a by-digest pin
     # https://github.com/pre-commit/pre-commit/issues/3672
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index ea7a039..4d0ad6a 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -9,11 +9,13 @@ on:
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/zizmor.yml'
   push:
     branches: ['main']
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/zizmor.yml'
 
 permissions: {}
 
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..8d11825
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  # Cosmetic pedantic-only finding (zizmor concurrency-limits) — low
+  # security value; suppressed at the repo level per campaign convention.
+  concurrency-limits:
+    disable: true