diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ec8a646..0e9be25 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml
index cc7773e..04d4c5c 100644
--- a/.github/workflows/ci_workflows.yml
+++ b/.github/workflows/ci_workflows.yml
@@ -8,7 +8,22 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+
   tests:
     name: ${{ matrix.name }} [ ${{ matrix.os }} ]
     runs-on: ${{ matrix.os }}
@@ -57,12 +72,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ matrix.python }}
         allow-prereleases: true
@@ -100,12 +116,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ matrix.python }}
     - name: Install APT packages
@@ -125,12 +142,13 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
         submodules: true
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         # this is mainly meant to be useful on old or exotic archs
         # so we use our oldest-supported Python
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6e4ee09..d2c6a98 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -52,7 +52,8 @@ jobs:
         - cp3*win32
         - cp3*win_amd64
         - pp3*-win_amd64
-        # Windows arm64 wheels
+        # NumPy doesn't have wheels for this target + Python older than 3.11
+        # so we resort to manual version selection until 3.10 is dropped
         - cp3{11,12,13,14}-win_arm64
 
     secrets:
diff --git a/liberfa/erfa b/liberfa/erfa
index 9915ba3..1d9738b 160000
--- a/liberfa/erfa
+++ b/liberfa/erfa
@@ -1 +1 @@
-Subproject commit 9915ba38c9365f8b0738269b8c2ac1fdd5f8dee3
+Subproject commit 1d9738bed9954188722f976774d0903e5dae1857