diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 0eb181a..aae5037 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: hynek/build-and-inspect-python-package@v2
 
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 859c948..75a47d2 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -1,8 +1,5 @@
 name: Sync labels
 
-permissions:
-  pull-requests: write
-
 on:
   push:
     branches:
@@ -13,9 +10,13 @@ on:
 
 jobs:
   sync:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: micnncim/action-label-syncer@v1
         with:
           prune: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 07430cb..e535eb6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,4 +14,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: hugovk/pre-commit-action-uv@v3.0.1
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - uses: tox-dev/action-pre-commit-uv@v1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 436abb1..e32cf8e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5