diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 61e6748..82a3e1d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,7 @@ updates:
     schedule:
       # Check for updates to GitHub Actions every week
       interval: "weekly"
+    # wait after a new release till we create a PR, to reduce risk of pulling
+    # a compromised new version
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/maven-ci.yml b/.github/workflows/maven-ci.yml
index 9b9d770..5babb1b 100644
--- a/.github/workflows/maven-ci.yml
+++ b/.github/workflows/maven-ci.yml
@@ -40,19 +40,22 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }}
+        persist-credentials: false
 
     - name: Set up JDK '${{ inputs.java_version }}'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '${{ inputs.java_version }}'
         distribution: 'temurin'
         cache: maven
 
     - name: Build Command invocation
-      run: '${{ inputs.build_command }}'
+      run: '${INPUTS_BUILD_COMMAND}'
+      env:
+        INPUTS_BUILD_COMMAND: ${{ inputs.build_command }}
 
     - name: Check for wrong code formatting
       run: |
diff --git a/.github/workflows/maven-jib.yml b/.github/workflows/maven-jib.yml
index 8af50f2..0853e13 100644
--- a/.github/workflows/maven-jib.yml
+++ b/.github/workflows/maven-jib.yml
@@ -1,4 +1,5 @@
 name: Build the JIB image and upload to the container registry
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -7,7 +8,9 @@ jobs:
   snapshot:
     runs-on: ubuntu-latest
     steps:
-     - uses: actions/checkout@v6
+     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+       with:
+         persist-credentials: false
 
 ###############################################################################
 # WIP
diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml
index c33082c..4f7fc45 100644
--- a/.github/workflows/maven-release.yml
+++ b/.github/workflows/maven-release.yml
@@ -38,6 +38,10 @@ on:
         required: true
       SONATYPE_PASSWORD:
         required: true
+      GPG_PRIVATE_KEY:
+        required: true
+      GPG_PASSPHRASE:
+        required: true
 
 # cancel in-progress runs of the same workflow
 # to avoid unecessary runs when multiple commits pushed
@@ -58,10 +62,11 @@ jobs:
       FINAL_REF: ${{ github.event.inputs.ref_to_release || github.event.repository.default_branch }}
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: '${{ env.FINAL_REF }}'
         fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }}
+        persist-credentials: false
 
     - name: Configure Git User
       run: |
@@ -71,7 +76,7 @@ jobs:
         git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
     - name: Set up JDK '${{ inputs.java_version }}'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '${{ inputs.java_version }}'
         distribution: 'temurin'
@@ -83,11 +88,12 @@ jobs:
         gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
     - name: Publish to Central
-      run: ${{ inputs.release_command }}
+      run: ${INPUTS_RELEASE_COMMAND}
       env:
         MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
         MAVEN_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
         MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        INPUTS_RELEASE_COMMAND: ${{ inputs.release_command }}
 
     - name: Push all the git commits and tags back to the repository
       run: git push && git push --tags
diff --git a/.github/workflows/maven-set-version.yml b/.github/workflows/maven-set-version.yml
index b56df4e..651bb86 100644
--- a/.github/workflows/maven-set-version.yml
+++ b/.github/workflows/maven-set-version.yml
@@ -47,9 +47,10 @@ jobs:
       FINAL_REF: ${{ github.event.inputs.ref_for_version || github.event.repository.default_branch }}
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         ref: '${{ env.FINAL_REF }}'
+        persist-credentials: false
 
     - name: Configure Git User
       run: |
@@ -60,7 +61,7 @@ jobs:
 
 
     - name: Set up JDK '${{ inputs.java_version }}'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '${{ inputs.java_version }}'
         distribution: 'temurin'
@@ -68,10 +69,14 @@ jobs:
 
     - name: Update Version in pom.xml
       run: |
-        mvn -B versions:set -DnewVersion=${{ inputs.new_version }} -DgenerateBackupPoms=false
+        mvn -B versions:set -DnewVersion="${INPUTS_NEW_VERSION}" -DgenerateBackupPoms=false
+      env:
+        INPUTS_NEW_VERSION: ${{ inputs.new_version }}
 
     - name: Push all the git commits and tags back to the repository
       run: |
         git add -A
-        git commit -m "chore: Bump version to: ${{ inputs.new_version }}"
+        git commit -m "chore: Bump version to: ${INPUTS_NEW_VERSION}"
         git push
+      env:
+        INPUTS_NEW_VERSION: ${{ inputs.new_version }}
diff --git a/.github/workflows/maven-snapshot.yml b/.github/workflows/maven-snapshot.yml
index bc66c29..ff0454f 100644
--- a/.github/workflows/maven-snapshot.yml
+++ b/.github/workflows/maven-snapshot.yml
@@ -56,12 +56,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }}
+        persist-credentials: false
 
     - name: Set up JDK '${{ inputs.java_version }}'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '${{ inputs.java_version }}'  # java version to use
         distribution: 'temurin'
@@ -78,10 +79,11 @@ jobs:
       # Only run for snapshot version and not for commits with released versions
       if: endsWith(steps.project-version.outputs.version, '-SNAPSHOT')
       run: >
-        ${{ inputs.snapshot_deploy_command }}
+        ${INPUTS_SNAPSHOT_DEPLOY_COMMAND}
         ${{ inputs.quarkus_jib_image && '-Dquarkus.container-image.build=true -Dquarkus.container-image.push=true' || '' }}
       env:
         MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
         MAVEN_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
         QUARKUS_CONTAINER_IMAGE_USERNAME: ${{ secrets.QUAY_DEVEL_USERNAME }}
         QUARKUS_CONTAINER_IMAGE_PASSWORD: ${{ secrets.QUAY_DEVEL_PASSWORD }}
+        INPUTS_SNAPSHOT_DEPLOY_COMMAND: ${{ inputs.snapshot_deploy_command }}
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 8507c50..8d4b640 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -1,4 +1,5 @@
 name: Validate GitHub Actions Workflows
+permissions: {}
 
 on:
   pull_request:
@@ -10,7 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
-      - name: Validate GitHub Actions
-        uses: jazzsequence/github-action-validator@v1
+      - name: Run actionlint to lint our github action
+        uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2