diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8dd1fee..59dd491 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,3 +6,5 @@ updates:
       interval: monthly
     labels:
       - "Dependencies"
+    cooldown:
+      default-days: 1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d8500aa..2d12a97 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -96,4 +96,5 @@ on:
         required: false
       NETWORK_TEST_CLIENT_SECRET:
         required: false
-permissions: read-all
+permissions:
+  contents: read
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 95e9086..ad631d9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,3 +1,6 @@
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   actionlint:
     name: actionlint
diff --git a/.github/workflows/pre-commit_autoupdate.yml b/.github/workflows/pre-commit_autoupdate.yml
index 1e2636f..29cc7f1 100644
--- a/.github/workflows/pre-commit_autoupdate.yml
+++ b/.github/workflows/pre-commit_autoupdate.yml
@@ -1,5 +1,6 @@
 jobs:
   auto-update:
+    name: Auto-update pre-commit hooks
     runs-on: ubuntu-latest
     steps:
       # The app token lets create-pull-request push a branch that triggers CI
@@ -25,6 +26,9 @@ jobs:
         run: uv run --no-sync pre-commit run --all-files
         continue-on-error: true
       - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        # create-pull-request commits the autoupdate changes, pushes a branch, and
+        # opens the PR -- functionality `gh pr create` alone does not provide.
+        # zizmor: ignore[superfluous-actions]
         with:
           branch: update/pre-commit-hooks
           title: Update pre-commit hooks
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index 8181bef..9150ed5 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -48,6 +48,9 @@ jobs:
       - id: create-pr
         name: Create Pull Request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        # create-pull-request pushes the release branch and opens the PR with the
+        # app token -- functionality `gh pr create` alone does not provide.
+        # zizmor: ignore[superfluous-actions]
         with:
           body: ""
           branch: prepare_release_v${{ env.version }}
diff --git a/.github/workflows/stale_action.yml b/.github/workflows/stale_action.yml
index 4909e0c..854e21c 100644
--- a/.github/workflows/stale_action.yml
+++ b/.github/workflows/stale_action.yml
@@ -4,6 +4,7 @@ env:
   stale-close-label: Auto-closed - Stale
 jobs:
   stale:
+    name: Close stale issues and PRs
     permissions:
       issues: write # required to comment on and close stale issues
       pull-requests: write # required to comment on and close stale PRs