diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml
index e58f93902..d9d55ee67 100644
--- a/.github/workflows/issue_to_jira.yml
+++ b/.github/workflows/issue_to_jira.yml
@@ -1,4 +1,7 @@
 name: Create JIRA issue
+permissions:
+  contents: read
+  issues: write
 
 on:
   issues:
@@ -6,8 +9,12 @@ on:
 
 jobs:
   call-workflow-create-jira-issue:
+    if: startsWith(github.repository, 'MiraGeoscience/')  # run on the Mira repo only
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main
-    secrets: inherit
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
     with:
       project-key: 'GEOPY'
       components: '[{"name": "geoapps"}]'
diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml
index 199d6e71d..7080902ab 100644
--- a/.github/workflows/pr_add_jira_summary.yml
+++ b/.github/workflows/pr_add_jira_summary.yml
@@ -1,10 +1,20 @@
 name: Add JIRA issue summary
 
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  pull_request:
+    types: [opened]
+permissions:
+  contents: read
+  pull-requests: write
 
 jobs:
   call-workflow-add-jira-issue-summary:
+    if: startsWith(github.event.pull_request.head.repo.full_name, 'MiraGeoscience/')  # run if PR originates from the Mira repo only
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main
-    secrets: inherit
+    permissions:
+      contents: read
+      pull-requests: write
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
diff --git a/.github/workflows/python_analysis.yml b/.github/workflows/python_analysis.yml
index 0d6a6e7a5..c285db962 100644
--- a/.github/workflows/python_analysis.yml
+++ b/.github/workflows/python_analysis.yml
@@ -24,21 +24,28 @@ concurrency:
 jobs:
   call-workflow-static-analysis:
     name: Static analysis
+    permissions:
+      contents: read
+      pull-requests: read
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@main
     with:
       package-manager: 'conda'
       app-name: 'geoapps'
       python-version: '3.10'
+
   call-workflow-pytest:
     name: Pytest
+    permissions:
+      contents: read
+      pull-requests: read
     uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@main
     with:
       package-manager: 'conda'
       python-versions: '["3.10"]'
       os: '["ubuntu-latest", "windows-latest"]'
+      lfs: true
       cache-number: 1
       codecov-reference-python-version: '3.10'
       codecov-reference-os: '["windows-latest"]'
-      lfs: true
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/zizmor-security.yml b/.github/workflows/zizmor-security.yml
new file mode 100644
index 000000000..03caa5f7c
--- /dev/null
+++ b/.github/workflows/zizmor-security.yml
@@ -0,0 +1,26 @@
+name: Zizmor analysis
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - develop
+      - main
+      - release/**
+      - feature/**
+      - hotfix/**
+  push:
+    branches:
+      - main
+      - develop
+      - feature/**
+      - hotfix/**
+      - release/**
+
+jobs:
+  call-workflow-zizmor:
+    name: Zizmor analysis
+    permissions:
+      contents: read
+      actions: read
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-security.yml@main