diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 444bc11..04c7950 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,10 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   test:
 
@@ -29,6 +33,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -38,22 +44,32 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}-${{ matrix.profile }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: stable
+
       - run: cargo test --profile ${{ matrix.profile }}
 
   format:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@nightly
         with:
+          persist-credentials: false
+
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: nightly
           components: rustfmt
+
       - run: cargo +nightly fmt --all -- --check
 
   clippy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -63,15 +79,19 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
         with:
+          toolchain: stable
           components: clippy
+
       - run: cargo clippy --all-targets --all-features
 
   coverage:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -81,13 +101,15 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: stable
       
-      - uses: taiki-e/install-action@cargo-llvm-cov
+      - uses: taiki-e/install-action@13fe1882c51d253ef22193d24823029c0acab68b # cargo-llvm-cov
 
       - run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
 
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: lcov.info
@@ -96,6 +118,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       
       - uses: actions/cache@v4
         with:
@@ -105,6 +129,8 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
       
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: stable
       
       - run: make examples
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index 18787d9..37b5b4e 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -11,22 +11,35 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      actions: read
+
     env:
       BRANCH_NAME: ${{ github.event_name == 'pull_request' && github.head_ref || (github.ref_name == '' && 'master' || github.ref_name) }}
+
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: dtolnay/rust-toolchain@stable
+          persist-credentials: false
+
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: stable
+
       - run: |
           .github/doc/doc.py ${BRANCH_NAME}
           ls -l ./target/docs
-      - uses: peaceiris/actions-gh-pages@v4
+
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./target/docs
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 488e463..630fdfc 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -16,11 +16,17 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   fuzz:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -30,24 +36,33 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@nightly
+      - uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: nightly
 
       - name: Set seconds to run tests
         id: fuzz_config
+        env:
+          SECONDS: ${{ inputs.fuzzseconds }}
+          EVENT: ${{ github.event_name }}
         run: |
-          if [ "${{ github.event_name }}" = "schedule" ]; then
+          seconds="${SECONDS}"
+          if ! [[ "$seconds" =~ ^[0-9]+$ ]] || (( seconds < 0 || seconds > 600 )); then
+            echo "Invalid fuzzseconds input; using default 30"
+            seconds=30
+          fi
+
+          if [ "${EVENT}" = "schedule" ]; then
             echo "fuzzseconds=600" >> "$GITHUB_OUTPUT"
-          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            val="${{ inputs.fuzzseconds }}"
-            if [ -z "$val" ]; then
-              val=30
-            fi
-            echo "fuzzseconds=$val" >> "$GITHUB_OUTPUT"
+          elif [ "${EVENT}" = "workflow_dispatch" ]; then
+            echo "fuzzseconds=$seconds" >> "$GITHUB_OUTPUT"
           else
             echo "fuzzseconds=30" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Run tests
+        env:
+          SECONDS: ${{ steps.fuzz_config.outputs.fuzzseconds }}
         run: |
           cargo install cargo-fuzz
-          cargo +nightly fuzz run static_vector -- -max_total_time=${{ steps.fuzz_config.outputs.fuzzseconds }}
+          cargo +nightly fuzz run static_vector -- -max_total_time=${SECONDS}
diff --git a/.github/workflows/workflows-audit.yml b/.github/workflows/workflows-audit.yml
new file mode 100644
index 0000000..35bd1b2
--- /dev/null
+++ b/.github/workflows/workflows-audit.yml
@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.github/**'
+  pull_request:
+    paths:
+      - '.github/**'
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  workflows-audit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run Zizmor audit
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \
+            -p --gh-token ${GITHUB_TOKEN} .github/workflows/
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
index 137b74e..de7e8a1 100644
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -2,5 +2,6 @@
     "recommendations": [
         "rust-lang.rust-analyzer",
         "ryanluker.vscode-coverage-gutters",
+        "cordx56.rustowl-vscode"
     ]
 }