diff --git a/.github/workflows/action_compliance.yaml b/.github/workflows/action_compliance.yaml
index b233f08dd..5eeeddc43 100644
--- a/.github/workflows/action_compliance.yaml
+++ b/.github/workflows/action_compliance.yaml
@@ -34,3 +34,20 @@ jobs:
         run: .github/workflows/scripts/teardown-check.sh
       - name: actionlint
         uses: raven-actions/actionlint@01fce4f43a270a612932cb1c64d40505a029f821 # v2.0.0
+
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+      - name: Check workflows with zizmor
+        uses: zizmorcore/zizmor-action@2520132f44b3ed84916048d32e5c7153fc739fe7 # v0.0.3
+        with:
+          advanced-security: true
+          persona: pedantic
diff --git a/.github/workflows/concrete_compiler_benchmark.yml b/.github/workflows/concrete_compiler_benchmark.yml
index 49f456801..9adfdb3c6 100644
--- a/.github/workflows/concrete_compiler_benchmark.yml
+++ b/.github/workflows/concrete_compiler_benchmark.yml
@@ -112,10 +112,12 @@ jobs:
           --database compiler_benchmarks \
           --hardware "hpc7a.96xlarge" \
           --project-version ${{ needs.build-and-run-benchmarks.outputs.commit_hash}} \
-          --branch ${{ github.ref_name }} \
+          --branch "${GITHUB_REF_NAME}" \
           --commit-date "${{ needs.build-and-run-benchmarks.outputs.commit_date }}" \
           --bench-date "${{ needs.build-and-run-benchmarks.outputs.bench_date }}" \
           --throughput
+        env:
+          GITHUB_REF_NAME: ${{ github.ref_name }}
       - name: Upload parsed results artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
diff --git a/.github/workflows/concrete_compiler_publish_docker_images.yml b/.github/workflows/concrete_compiler_publish_docker_images.yml
index 13e88b803..2f56c69dd 100644
--- a/.github/workflows/concrete_compiler_publish_docker_images.yml
+++ b/.github/workflows/concrete_compiler_publish_docker_images.yml
@@ -163,8 +163,10 @@ jobs:
       - name: Tag and Publish Release Image
         if: steps.login.conclusion != 'skipped' && startsWith(github.ref, 'refs/tags/v')
         run: |
-          docker image tag ${{ env.image }} ${{ env.image }}:${{ github.ref_name }}
-          docker image push ${{ env.image }}:${{ github.ref_name }}
+          docker image tag ${{ env.image }} "${{ env.image }}:${GITHUB_REF_NAME}"
+          docker image push "${{ env.image }}:${GITHUB_REF_NAME}"
+        env:
+          GITHUB_REF_NAME: ${{ github.ref_name }}
       - name: Slack Notification
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
         continue-on-error: true
diff --git a/.github/workflows/concrete_cpu_test.yml b/.github/workflows/concrete_cpu_test.yml
index ea08f5ea9..f1ab6bf4a 100644
--- a/.github/workflows/concrete_cpu_test.yml
+++ b/.github/workflows/concrete_cpu_test.yml
@@ -9,6 +9,7 @@ on:
   push:
     branches:
       - 'main'
+      # zizmor: ignore[cache-poisoning] this isn't used for release
       - 'release/*'
 
 concurrency:
diff --git a/.github/workflows/concrete_python_finalize_release.yml b/.github/workflows/concrete_python_finalize_release.yml
index 168786ecf..a6630ed83 100644
--- a/.github/workflows/concrete_python_finalize_release.yml
+++ b/.github/workflows/concrete_python_finalize_release.yml
@@ -19,18 +19,21 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_IAM_KEY }}
           AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
           S3_BUCKET_NAME: ${{ secrets.AWS_S3_PYPI_BUCKET_NAME }}
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
           mkdir wheels
-          aws s3 cp "s3://${S3_BUCKET_NAME}/cpu/concrete-python/" ./wheels/ --recursive --exclude "*" --include "concrete_python-${{ inputs.version }}-*"
+          aws s3 cp "s3://${S3_BUCKET_NAME}/cpu/concrete-python/" ./wheels/ --recursive --exclude "*" --include "concrete_python-${INPUT_VERSION}-*"
           echo "============== Downloaded wheels ==============="
           ls -la ./wheels/
       - name: Push wheels to public PyPI (public)
         run: |
           pip install twine==6.0.0
-          twine upload wheels/concrete_python-${{ inputs.version }}*.whl \
+          twine upload "wheels/concrete_python-${INPUT_VERSION}*.whl" \
             -u "${{ secrets.PUBLIC_PYPI_USER }}" \
             -p "${{ secrets.PUBLIC_PYPI_PASSWORD }}" \
             -r pypi
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
       - name: Slack Notification
         if: ${{ failure() }}
         continue-on-error: true
@@ -55,11 +58,13 @@ jobs:
       - name: Get version from tag
         run: |
           # remove leading 'v' and '-' from tag
-          VERSION=$(echo ${{ inputs.version }} | sed "s/^v*//g" | sed "s/-//g")
+          VERSION=$(echo "${INPUT_VERSION}" | sed "s/^v*//g" | sed "s/-//g")
           {
             echo "VERSION=$VERSION"
             echo "NAME_TAG=${{ env.DOCKER_IMAGE_NAME }}:v$VERSION"
           } >> "${GITHUB_ENV}"
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
       - name: Build image
         run: |
           mkdir empty_context