diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index 7e6dfc4..7036b38 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -1,5 +1,8 @@
 name: Documentation
 
+# no permissions by default
+permissions: {}
+
 on:
   pull_request:
   push:
@@ -12,15 +15,18 @@ on:
 jobs:
   build-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
     - name: checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Setup Micromamba Python
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@7f29b8b80078b1b601dfa018b0f7425c587c63bb  # v2.0.6
       with:
         environment-name: TEST
         init-shell: bash
@@ -44,7 +50,7 @@ jobs:
 
     - name: Deploy
       if: success() && github.event_name == 'release'
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e  # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: docs/build/html
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index ea2dded..2b6211f 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -14,13 +14,24 @@ defaults:
     shell: bash
 
 jobs:
-  packages:
+  pypi-publish:
+    name: Upload release to PyPI
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/python-ctd/
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      with:
+        # Should be enough for setuptools-scm
+        fetch-depth: 100
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
       with:
         python-version: "3.x"
 
@@ -29,23 +40,23 @@ jobs:
 
     - name: Install build tools
       run: |
-        python -m pip install --upgrade pip build twine
+        python -m pip install --upgrade build
 
-    - name: Build binary wheel
+    - name: Build sdist and binary wheel
       run: python -m build --sdist --wheel . --outdir dist
 
     - name: CheckFiles
       run: |
         ls dist
+        python -m pip install --upgrade check-manifest
+        check-manifest --verbose
 
     - name: Test wheels
       run: |
         cd dist && python -m pip install *.whl
+        python -m pip install --upgrade twine
         python -m twine check *
 
     - name: Publish a Python distribution to PyPI
       if: success() && github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 6e82fad..e63227d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,24 +1,29 @@
 name: Tests
 
+# no permissions by default
+permissions: {}
+
 on:
   pull_request:
   push:
-    branches: [main]
+    branches: [ main ]
 
 jobs:
   run:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        python-version: [ "3.11", "3.12" ]
-        os: [windows-latest, ubuntu-latest, macos-latest]
+        python-version: [ "3.11", "3.12", "3.13" ]
+        os: [ windows-latest, ubuntu-latest, macos-latest ]
       fail-fast: false
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      with:
+        persist-credentials: false
 
     - name: Setup Micromamba Python ${{ matrix.python-version }}
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@7f29b8b80078b1b601dfa018b0f7425c587c63bb  # v2.0.6
       with:
         environment-name: TEST
         init-shell: bash
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 801fc0c..7df65c7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -66,6 +66,11 @@ repos:
   hooks:
     - id: pyproject-fmt
 
+- repo: https://github.com/woodruffw/zizmor-pre-commit
+  rev: v1.12.1
+  hooks:
+    - id: zizmor
+
 ci:
     autofix_commit_msg: |
         [pre-commit.ci] auto fixes from pre-commit.com hooks
diff --git a/MANIFEST.in b/MANIFEST.in
index 74e18e4..406424d 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,4 +1,17 @@
 include *.txt
 include README.md
-recursive-include ctd *.py
+include pyproject.toml
+
+graft ctd
+
+prune .github
+prune *.egg-info
+prune docs
+prune notebooks
 prune tests
+
+exclude ruff.toml
+exclude .gitignore
+exclude .pre-commit-config.yaml
+exclude *.yml
+exclude ctd/_version.py