diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index c2a5346..4c0023d 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             ./__pypackages__
@@ -39,14 +39,7 @@ jobs:
         run: ./pw changelog
 
       - name: Check repo status
-        run: |-
-          REPO_STATUS="$(git status --porcelain)"
-          if [[ ! -z $REPO_STATUS ]]; then
-            echo "::error::Uncommitted changes detected"
-            echo "$REPO_STATUS"
-            git status -vv
-            exit 1
-          fi
+        uses: cerbos/actions/check-repo-status@043c4c2f16da4bc1366f362cc41c288b8e48a3ae # main
 
       - name: Test
         env:
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
new file mode 100644
index 0000000..e3e80a9
--- /dev/null
+++ b/.github/workflows/zizmor.yaml
@@ -0,0 +1,30 @@
+name: Audit GitHub Actions security
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+defaults:
+  run:
+    shell: bash
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Audit GitHub Actions security
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: cerbos/actions/lint-actions@043c4c2f16da4bc1366f362cc41c288b8e48a3ae # main