diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 70275ab152..0557087176 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -20,6 +20,12 @@ on:
 env:
   RUFF_BASE_IMG: ghcr.io/${{ github.repository_owner }}/ruff
 
+permissions:
+  contents: read
+  # TODO(zanieb): Ideally, this would be `read` on dry-run but that will require
+  # significant changes to the workflow.
+  packages: write # zizmor: ignore[excessive-permissions]
+
 jobs:
   docker-build:
     name: Build Docker image (ghcr.io/astral-sh/ruff) for ${{ matrix.platform }}
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index bd72c6a766..5ec33b15dc 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mkdocs:
     runs-on: ubuntu-latest
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
deleted file mode 100644
index 28ec2a61ef..0000000000
--- a/.github/zizmor.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# Configuration for the zizmor static analysis tool, run via pre-commit in CI
-# https://docs.zizmor.sh/configuration/
-#
-# TODO: can we remove the ignores here so that our workflows are more secure?
-rules:
-  cache-poisoning:
-    ignore:
-      - build-docker.yml
-  excessive-permissions:
-    # it's hard to test what the impact of removing these ignores would be
-    # without actually running the release workflow...
-    ignore:
-      - build-docker.yml
-      - publish-docs.yml
-  secrets-inherit:
-    # `cargo dist` makes extensive use of `secrets: inherit`,
-    # and we can't easily fix that until an upstream release changes that.
-    disable: true
-  template-injection:
-    ignore:
-      # like with `secrets-inherit`, `cargo dist` introduces some
-      # template injections. We've manually audited these usages for safety.
-      - release.yml