diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index be006de9..9142c861 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,3 +11,5 @@ updates:
           - "*"  # Group all Actions updates into a single larger pull request
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index 58a69996..0795edcc 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -4,9 +4,9 @@ on:
   pull_request:
     branches:
       - master
-  push:
-    tags:
-      - "v*"
+  release:
+    types:
+      - published
 
 jobs:
   build_bdist:
@@ -31,19 +31,13 @@ jobs:
             arch: ARM64
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         fetch-depth: 0
-
-    # For aarch64 support
-    # https://cibuildwheel.pypa.io/en/stable/faq/#emulation
-    #- uses: docker/setup-qemu-action@v3
-    #  with:
-    #    platforms: all
-    #  if: runner.os == 'Linux' && matrix.arch == 'aarch64'
+        persist-credentials: false
 
     - name: Build just oldest and newest on PRs, all on tags
-      if:  ${{ github.event_name }} == pull_request
+      if: ${{ github.event_name == 'pull_request' }}
       shell: bash
       # - On PPs, omit musllinux for speed
       # - On PRs, run just oldest and newest Python versions (3.11 is the oldest abi3 target)
@@ -57,51 +51,39 @@ jobs:
         echo "Setting CIBW_TEST_SKIP=$CIBW_TEST_SKIP"
 
     - name: "Building ${{ matrix.os }} (${{ matrix.arch }}) wheels"
-      uses: pypa/cibuildwheel@v3.4.0
+      uses: pypa/cibuildwheel@ee02a1537ce3071a004a6b08c41e72f0fdc42d9a  # v3.4.0
       env:
         CIBW_SKIP: ${{ env.CIBW_SKIP }}
         CIBW_TEST_SKIP: ${{ env.CIBW_TEST_SKIP }}
         CIBW_ARCHS: ${{ matrix.arch }}
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
       with:
         name: pypi-artifacts-${{ matrix.os }}-${{ matrix.arch }}
         path: ${{ github.workspace }}/wheelhouse/*.whl
-
+    permissions:
+      actions: write
 
   build_sdist:
     name: Build source distribution
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Build sdist
         run: >
           pip install build
           && python -m build --sdist . --outdir dist
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: pypi-artifacts
           path: ${{ github.workspace }}/dist/*.tar.gz
-
-  show-artifacts:
-    needs: [build_bdist, build_sdist]
-    name: "Show artifacts"
-    runs-on: ubuntu-22.04
-    steps:
-    - uses: actions/download-artifact@v8
-      with:
-        pattern: pypi-artifacts*
-        path: ${{ github.workspace }}/dist
-        merge-multiple: true
-
-    - shell: bash
-      run: |
-        ls -l ${{ github.workspace }}/dist
-
+    permissions:
+      actions: write
 
   publish-artifacts-pypi:
     needs: [build_bdist, build_sdist]
@@ -110,14 +92,17 @@ jobs:
     # upload to PyPI for every tag starting with 'v'
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
     steps:
-    - uses: actions/download-artifact@v8
+    - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8
       with:
         pattern: pypi-artifacts*
         path: ${{ github.workspace }}/dist
         merge-multiple: true
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    # Move to Trusted Publishing
+    - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
       with:
         user: __token__
         password: ${{ secrets.PYPI_PASSWORD }}
         print_hash: true
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index 3891f15c..bc531c8d 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -1,22 +1,32 @@
 name: Build and Deploy docs
 
 on:
+  pull_request:
   push:
     branches:
       - master
+  release:
+    types:
+      - published
+
+# Deny all permissions by default
+permissions: {}
 
 jobs:
   build-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
     - name: checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Setup Mamba
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7
       with:
         environment-name: TEST
         create-args: >-
@@ -43,7 +53,8 @@ jobs:
         popd
 
     - name: Deploy
-      uses: peaceiris/actions-gh-pages@v4
+      if: success() && github.event_name == 'release'
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e  # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: docs/_build/html
diff --git a/.github/workflows/tests_conda.yml b/.github/workflows/tests_conda.yml
index 49c5e313..cae95de7 100644
--- a/.github/workflows/tests_conda.yml
+++ b/.github/workflows/tests_conda.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [master]
 
+# Deny all permissions by default
+permissions: {}
+
 jobs:
   run:
     runs-on: ${{ matrix.os }}
@@ -25,10 +28,12 @@ jobs:
             experimental: true
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+      with:
+        persist-credentials: false
 
     - name: Setup micromamba Env
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7
       with:
         environment-name: TEST
         create-args: >-
diff --git a/.github/workflows/tests_latest.yml b/.github/workflows/tests_latest.yml
index e270c2b6..f04e4cfb 100644
--- a/.github/workflows/tests_latest.yml
+++ b/.github/workflows/tests_latest.yml
@@ -1,5 +1,12 @@
 name: Build and test with development python
-on: [push, pull_request]
+
+on:
+  pull_request:
+  push:
+
+# Deny all permissions by default
+permissions: {}
+
 jobs:
   build-linux:
     name: Python (${{ matrix.python-version }})
@@ -9,10 +16,12 @@ jobs:
         python-version: ["3.14.0b.1"]
     steps:
 
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
       with:
         python-version: ${{ matrix.python-version }}
 
diff --git a/setup.py b/setup.py
index 48371c37..8607e82f 100644
--- a/setup.py
+++ b/setup.py
@@ -43,8 +43,6 @@
 
 if USE_PY_LIMITED_API:
     DEFINE_MACROS  += [(("Py_LIMITED_API", ABI3_TARGET_HEX))]
-    
-if USE_PY_LIMITED_API:
     SETUP_OPTIONS = {"bdist_wheel": {"py_limited_api": f"cp{ABI3_TARGET_VERSION}"}}
 else:
     SETUP_OPTIONS = {}