diff --git a/.github/workflows/pull-compliance.yml b/.github/workflows/pull-compliance.yml
index 7d61ad3a1c..8943dc6142 100644
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -52,10 +52,12 @@ jobs:
 
       - run: make lint-spell
 
-      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
+      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true' || needs.files-changed.outputs.actions == 'true'
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          python-version: 3.14
       - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
-        run: uv python install 3.14 && make deps-py lint-templates lint-yaml
+        run: make deps-py lint-templates lint-yaml
 
       - if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.swagger == 'true' || needs.files-changed.outputs.json == 'true'
         run: make deps-frontend lint-md lint-swagger lint-json
diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 67fbcf77d3..6e91eafe3e 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -27,7 +27,7 @@ jobs:
         ports:
           - "5432:5432"
       ldap:
-        image: gitea/test-openldap:latest
+        image: gitea/test-openldap:latest@sha256:4ac633b01d684e6b2a458cc0c8530c92f9b3702f6e040ce5f365607df34fbda0
         ports:
           - "389:389"
           - "636:636"
@@ -118,7 +118,7 @@ jobs:
         ports:
           - "7700:7700"
       redis:
-        image: redis
+        image: redis:latest@sha256:94ea4f5ccdaa6b154df99a792986ecb3ffbb3fe7722a197220477f1f3e65f9fe
         options: >- # wait until redis has started
           --health-cmd "redis-cli ping"
           --health-interval 5s
@@ -134,7 +134,7 @@ jobs:
         ports:
           - "9000:9000"
       devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest
+        image: mcr.microsoft.com/azure-storage/azurite:latest@sha256:dae2a5f96553962901304b94e72ef87e299d0825e4b679673bcc527a25076fe4
         ports:
           - 10000:10000
     steps:
@@ -191,7 +191,7 @@ jobs:
         ports:
           - "9200:9200"
       smtpimap:
-        image: tabascoterrier/docker-imap-devel:latest
+        image: tabascoterrier/docker-imap-devel:latest@sha256:3fb7cf50b47693e7b80f6f74abea2def4d7386016931d61359864de8a0aba551
         ports:
           - "25:25"
           - "143:143"
@@ -235,7 +235,7 @@ jobs:
         ports:
           - "1433:1433"
       devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest
+        image: mcr.microsoft.com/azure-storage/azurite:latest@sha256:dae2a5f96553962901304b94e72ef87e299d0825e4b679673bcc527a25076fe4
         ports:
           - 10000:10000
     steps:
diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
index be216a48e8..46cf147f02 100644
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -40,15 +40,20 @@ jobs:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
       - name: sign binaries
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
         run: |
           for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
+            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
           done
       # clean branch name to get the folder name in S3
       - name: Get cleaned branch name
         id: clean_name
+        env:
+          REF: ${{ github.ref }}
         run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
+          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
       - name: configure aws
@@ -58,8 +63,11 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       - name: upload binaries to s3
+        env:
+          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
+          BRANCH: ${{ steps.clean_name.outputs.branch }}
         run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
+          aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
 
   nightly-container:
     runs-on: namespace-profile-gitea-release-docker
@@ -75,8 +83,10 @@ jobs:
       - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Get cleaned branch name
         id: clean_name
+        env:
+          REF: ${{ github.ref }}
         run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
+          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
           echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
       - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         id: meta
diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml
index 07102acc39..6dfca8e6cf 100644
--- a/.github/workflows/release-tag-rc.yml
+++ b/.github/workflows/release-tag-rc.yml
@@ -41,15 +41,20 @@ jobs:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
       - name: sign binaries
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
         run: |
           for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
+            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
           done
       # clean branch name to get the folder name in S3
       - name: Get cleaned branch name
         id: clean_name
+        env:
+          REF: ${{ github.ref }}
         run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
+          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
       - name: configure aws
@@ -59,17 +64,21 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       - name: upload binaries to s3
+        env:
+          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
+          BRANCH: ${{ steps.clean_name.outputs.branch }}
         run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
+          aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
       - name: Install GH CLI
         uses: dev-hanz-ops/install-gh-cli-action@af38ce09b1ec248aeb08eea2b16bbecea9e059f8 # v0.2.1
         with:
           gh-cli-version: 2.39.1
       - name: create github release
-        run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          gh release create "$TAG" --title "$TAG" --draft --notes-from-tag dist/release/*
 
   container:
     runs-on: namespace-profile-gitea-release-docker
diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml
index 44cf49b78c..d486c2e8c5 100644
--- a/.github/workflows/release-tag-version.yml
+++ b/.github/workflows/release-tag-version.yml
@@ -44,15 +44,20 @@ jobs:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
       - name: sign binaries
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
         run: |
           for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
+            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
           done
       # clean branch name to get the folder name in S3
       - name: Get cleaned branch name
         id: clean_name
+        env:
+          REF: ${{ github.ref }}
         run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
+          REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
           echo "Cleaned name is ${REF_NAME}"
           echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
       - name: configure aws
@@ -62,17 +67,21 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       - name: upload binaries to s3
+        env:
+          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
+          BRANCH: ${{ steps.clean_name.outputs.branch }}
         run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
+          aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
       - name: Install GH CLI
         uses: dev-hanz-ops/install-gh-cli-action@af38ce09b1ec248aeb08eea2b16bbecea9e059f8 # v0.2.1
         with:
           gh-cli-version: 2.39.1
       - name: create github release
-        run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          gh release create "$TAG" --title "$TAG" --notes-from-tag dist/release/*
 
   container:
     runs-on: namespace-profile-gitea-release-docker
diff --git a/Makefile b/Makefile
index 40bc202a54..809300d880 100644
--- a/Makefile
+++ b/Makefile
@@ -344,8 +344,9 @@ lint-editorconfig:
 	@$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) $(EDITORCONFIG_FILES)
 
 .PHONY: lint-actions
-lint-actions: ## lint action workflow files
-	$(GO) run $(ACTIONLINT_PACKAGE)
+lint-actions: .venv ## lint action workflow files
+	@$(GO) run $(ACTIONLINT_PACKAGE)
+	@uv run --frozen zizmor --quiet --min-confidence=medium .github
 
 .PHONY: lint-templates
 lint-templates: .venv node_modules ## lint template files
diff --git a/pyproject.toml b/pyproject.toml
index 20a10d1915..7db3ec5d04 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,6 +7,7 @@ requires-python = ">=3.10"
 dev = [
   "djlint==1.36.4",
   "yamllint==1.38.0",
+  "zizmor==1.25.1",
 ]
 
 [tool.djlint]
diff --git a/uv.lock b/uv.lock
index f617fa203e..1d4148ac46 100644
--- a/uv.lock
+++ b/uv.lock
@@ -93,6 +93,7 @@ source = { virtual = "." }
 dev = [
     { name = "djlint" },
     { name = "yamllint" },
+    { name = "zizmor" },
 ]
 
 [package.metadata]
@@ -101,6 +102,7 @@ dev = [
 dev = [
     { name = "djlint", specifier = "==1.36.4" },
     { name = "yamllint", specifier = "==1.38.0" },
+    { name = "zizmor", specifier = "==1.25.1" },
 ]
 
 [[package]]
@@ -415,3 +417,21 @@ sdist = { url = "https://files.pythonhosted.org/packages/28/a0/8fc2d68e132cf918f
 wheels = [
     { url = "https://files.pythonhosted.org/packages/05/92/aed08e68de6e6a3d7c2328ce7388072cd6affc26e2917197430b646aed02/yamllint-1.38.0-py3-none-any.whl", hash = "sha256:fc394a5b3be980a4062607b8fdddc0843f4fa394152b6da21722f5d59013c220", size = 68940, upload-time = "2026-01-13T07:47:51.343Z" },
 ]
+
+[[package]]
+name = "zizmor"
+version = "1.25.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/28/16/6fb78c89586bfbd6e2aec21999891e3281ed104d29b65654b0112b6f804f/zizmor-1.25.1.tar.gz", hash = "sha256:f7849ce53371178338bd0302c7ee16fd274354e1f46490b49a76da37a1a1e7a1", size = 517745, upload-time = "2026-05-15T20:08:49.258Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/64/e4/a8971c6a350150485309ead9a09dc38268057d0b07a423f75bc30ef5ac5c/zizmor-1.25.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:afb2e483beb7245d9216ed62ccaf7bef4b59387126521f2b5a47677eda3fade1", size = 9152995, upload-time = "2026-05-15T20:08:50.815Z" },
+    { url = "https://files.pythonhosted.org/packages/78/d2/281b579c8cbb5d9f52f70a53db67bf9162ce1f260312d783b415d99b78c6/zizmor-1.25.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:172ff167f4d3616c7af972a5ddcd9e26b6fe4bf39d33bcfbb424da54f667e80b", size = 8682011, upload-time = "2026-05-15T20:08:59.54Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/05/c6e16b705452a80aae1d532a64f05b2f672665eb04f9f155d14a81fa62cc/zizmor-1.25.1-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:3eabb625b4e9814754c77f6a79092cd57ce05a1693ef0f2a16362b841c7268db", size = 8849676, upload-time = "2026-05-15T20:08:55.354Z" },
+    { url = "https://files.pythonhosted.org/packages/20/06/b5588059bd05d4e61203e3d3dfb34fc5c0930d4b5446c79154cfe0c71c60/zizmor-1.25.1-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:e25e9167d549df0a21a857165b7c57e3d60fd2984f934fa07d1f5e06c9a59f4a", size = 8463314, upload-time = "2026-05-15T20:08:47.413Z" },
+    { url = "https://files.pythonhosted.org/packages/be/5b/a5dd5cb75d4b0cb148d0d395abfd6e9b335244f22372367b5d82fb6d5d60/zizmor-1.25.1-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:917c86ff8f91706e6d6f2e24a3472f64e75397e2dd50c19fda5b117ab1b9f26d", size = 9286826, upload-time = "2026-05-15T20:09:03.528Z" },
+    { url = "https://files.pythonhosted.org/packages/db/ad/0d41eb3dd09625f824545590e02b3e5be4fef2fba716b5466a7269dac8bd/zizmor-1.25.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:4db178b1d6671abb78aca64295c7b3081375c3ab9303e966e91cfae20b1604e2", size = 8870771, upload-time = "2026-05-15T20:08:45.237Z" },
+    { url = "https://files.pythonhosted.org/packages/65/f3/e9703dcc60fbc91849cbdedff438a8c47fb962e429811d0200ac370f5e13/zizmor-1.25.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:025ff2ae568513af2ca8e5f8da7077920ade7f4454086b0ba32ccfe1b3e9d3c0", size = 8419481, upload-time = "2026-05-15T20:08:57.336Z" },
+    { url = "https://files.pythonhosted.org/packages/10/93/857a412ac097a9a887d01994ba7154daf9c9ef160b9ee22a8305914901cb/zizmor-1.25.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:5b727f9dd5bee4138638bcc3a90471326b33dd8aa7cfdd48e9da1513030b75e5", size = 9373062, upload-time = "2026-05-15T20:08:53.123Z" },
+    { url = "https://files.pythonhosted.org/packages/13/f0/79c5f3d13a07a85f8fc77be7dfc619e89dbc721ccb9482d894d14d7dff50/zizmor-1.25.1-py3-none-win32.whl", hash = "sha256:6ebb21f7c1f3a6288b70dae899a3850cf4705443a7a0d8a3976508536a867f48", size = 7547943, upload-time = "2026-05-15T20:09:01.844Z" },
+    { url = "https://files.pythonhosted.org/packages/90/61/50ceb009e10d9a6dfff176b1c14cf5178c53b50820113b170b43f405a3f1/zizmor-1.25.1-py3-none-win_amd64.whl", hash = "sha256:d3113404fe529751b983f0282373e1c66c755f114ef5078aa6e59cf5f9c3fea9", size = 8622930, upload-time = "2026-05-15T20:08:43.151Z" },
+]