diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8a50e6c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "quarterly"
+    labels:
+      - "skip issue"
+      - "skip news"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-patch"
+    groups:
+      actions:
+        patterns:
+          - "*"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index df1f3f4..b438269 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,15 +25,19 @@ jobs:
           - undefined
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: google/oss-fuzz
           path: oss-fuzz
+          persist-credentials: false
 
       - name: Patch Dockerfile to use this ref
         run: |
-          sed -i "s|git clone --depth 1 --branch main https://github.com/python/library-fuzzers.git|git clone --depth 1 --branch ${{ github.head_ref }} ${{ github.event.pull_request.head.repo.clone_url }} library-fuzzers|" \
+          sed -i "s|git clone --depth 1 --branch main https://github.com/python/library-fuzzers.git|git clone --depth 1 --branch ${BRANCH} ${CLONE_URL} library-fuzzers|" \
             oss-fuzz/projects/python3-libraries/Dockerfile
+        env:
+          BRANCH: ${{ github.head_ref }}
+          CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
 
       - name: Build fuzzers
         run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 17748f8..3d63df9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,6 @@ repos:
       - id: ruff-format
         exclude: ^corp-
 
-
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
     hooks:
@@ -17,5 +16,13 @@ repos:
         exclude: ^corp-
       - id: end-of-file-fixer
         exclude: ^corp-
+      - id: file-contents-sorter
+        files: '^fuzz_targets.txt$'
       - id: trailing-whitespace
         exclude: ^corp-
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f  # frozen: v1.22.0
+    hooks:
+      - id: zizmor
+        args: [--fix=all]