diff --git a/.github/actions/node-setup/action.yml b/.github/actions/node-setup/action.yml
index 2822d5e..1850e96 100644
--- a/.github/actions/node-setup/action.yml
+++ b/.github/actions/node-setup/action.yml
@@ -8,11 +8,10 @@ runs:
   using: 'composite'
   steps:
     - name: Setup Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: ${{ inputs.node-version }}
-        cache: 'npm'
-        cache-dependency-path: package-lock.json
+        package-manager-cache: false
 
     - name: Install dependencies
       shell: bash
diff --git a/.github/workflows/build-wasm.yml b/.github/workflows/build-wasm.yml
index 4af90ad..31e0e73 100644
--- a/.github/workflows/build-wasm.yml
+++ b/.github/workflows/build-wasm.yml
@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -53,11 +53,11 @@ jobs:
 
       - name: Set up Buildx Docker CLI plugin
         if: steps.check-branch.outputs.skip != 'true'
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build Docker image
         if: steps.check-branch.outputs.skip != 'true'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           load: true
@@ -92,18 +92,28 @@ jobs:
 
       - name: Create Pull Request
         if: steps.check-branch.outputs.skip != 'true' && steps.git-check.outputs.changes == 'true'
-        uses: peter-evans/create-pull-request@v6
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message:
-            'chore: update SQLite Wasm binaries from ${{ steps.resolve-ref.outputs.sqlite_ref }}
-            (${{ steps.resolve-ref.outputs.sqlite_sha }})'
-          title:
-            'chore: update SQLite Wasm binaries from ${{ steps.resolve-ref.outputs.sqlite_ref }}'
-          body: |
-            This PR updates the SQLite Wasm binaries in `src/bin` by building them from SQLite reference `${{ steps.resolve-ref.outputs.sqlite_ref }}` (commit `${{ steps.resolve-ref.outputs.sqlite_sha }}`).
-
-            Triggered by manual workflow dispatch.
-          branch: ${{ steps.resolve-ref.outputs.branch_name }}
-          base: main
-          delete-branch: true
+        env:
+          BRANCH_NAME: ${{ steps.resolve-ref.outputs.branch_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SQLITE_REF: ${{ steps.resolve-ref.outputs.sqlite_ref }}
+          SQLITE_SHA: ${{ steps.resolve-ref.outputs.sqlite_sha }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git switch -c "$BRANCH_NAME"
+          git commit -m "chore: update SQLite Wasm binaries from ${SQLITE_REF} (${SQLITE_SHA})"
+          gh auth setup-git
+          git push origin "HEAD:${BRANCH_NAME}"
+
+          cat > pr-body.md <<EOF
+          This PR updates the SQLite Wasm binaries in \`src/bin\` by building them from SQLite reference \`${SQLITE_REF}\` (commit \`${SQLITE_SHA}\`).
+
+          Triggered by manual workflow dispatch.
+          EOF
+
+          gh pr create \
+            --base main \
+            --head "$BRANCH_NAME" \
+            --title "chore: update SQLite Wasm binaries from ${SQLITE_REF}" \
+            --body-file pr-body.md
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 37062d8..9ff1be9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,9 +24,9 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: ./.github/actions/node-setup
@@ -41,9 +41,9 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup environment (node + install)
         uses: ./.github/actions/node-setup
@@ -51,6 +51,28 @@ jobs:
       - name: Run format check
         run: npx oxfmt . --check
 
+  zizmor:
+    name: Zizmor GitHub Actions check
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed by zizmor online audits to inspect workflow/action metadata.
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          online-audits: true
+          persona: auditor
+          min-severity: informational
+          min-confidence: low
+
   test-browser:
     name: Run browser tests
     runs-on: ubuntu-latest
@@ -58,9 +80,9 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup environment (node + install)
         uses: ./.github/actions/node-setup
@@ -73,7 +95,7 @@ jobs:
           >> $GITHUB_OUTPUT
 
       - name: Cache Playwright browsers
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
@@ -104,9 +126,7 @@ jobs:
         node-version: [20, 22, 23, 24, 25]
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup environment (node + install)
         uses: ./.github/actions/node-setup
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7eef672..99b4a34 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,9 +16,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup environment (node + install)
         uses: ./.github/actions/node-setup
@@ -29,9 +27,10 @@ jobs:
         run: npm run prepublishOnly
 
       - name: Configure npm for OIDC trusted publishing
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
+          package-manager-cache: false
           registry-url: https://registry.npmjs.org
 
       - name: Publish to npm