diff --git a/.github/workflows/yetus-general-check.yml b/.github/workflows/yetus-general-check.yml
index bb285a7b0692..b77c5cf55d87 100644
--- a/.github/workflows/yetus-general-check.yml
+++ b/.github/workflows/yetus-general-check.yml
@@ -23,33 +23,35 @@ name: Yetus General Check
   pull_request:
     types: [opened, synchronize, reopened]
 
-permissions:
-  contents: read
-  statuses: write
+permissions: {}
 
 jobs:
   general-check:
     runs-on: ubuntu-latest
     timeout-minutes: 600
+    permissions:
+      contents: read
+      statuses: write
 
     env:
       YETUS_VERSION: '0.15.0'
 
     steps:
       - name: Checkout HBase
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
         with:
           path: src
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses]
         with:
           java-version: '17'
           distribution: 'temurin'
 
       - name: Maven cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4 # zizmor: ignore[unpinned-uses]
         with:
           path: ~/.m2
           key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -101,8 +103,36 @@ jobs:
 
       - name: Publish Test Results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses]
         with:
           name: yetus-general-check-output
           path: ${{ github.workspace }}/yetus-general-check/output
           retention-days: 7
+
+  zizmor:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check for workflow changes
+        id: changes
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if gh pr diff "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --name-only | grep -q '^\.github/workflows/'; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout HBase
+        if: steps.changes.outputs.changed == 'true'
+        uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        if: steps.changes.outputs.changed == 'true'
+        run: pipx run zizmor --min-severity=medium .github/workflows/
diff --git a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
index 8526943c3339..6719f466873c 100644
--- a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
+++ b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
@@ -37,19 +37,20 @@ jobs:
 
     steps:
       - name: Checkout HBase
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
         with:
           path: src
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses]
         with:
           java-version: '17'
           distribution: 'temurin'
 
       - name: Maven cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4 # zizmor: ignore[unpinned-uses]
         with:
           path: ~/.m2
           key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -99,7 +100,7 @@ jobs:
 
       - name: Publish Results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses]
         with:
           name: yetus-jdk17-hadoop3-compile-check-output
           path: ${{ github.workspace }}/yetus-jdk17-hadoop3-compile-check/output
diff --git a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
index b4cc992b9a08..bc89a02f7070 100644
--- a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
+++ b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
@@ -56,19 +56,20 @@ jobs:
 
     steps:
       - name: Checkout HBase
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
         with:
           path: src
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses]
         with:
           java-version: '17'
           distribution: 'temurin'
 
       - name: Maven cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4 # zizmor: ignore[unpinned-uses]
         with:
           path: ~/.m2
           key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -122,7 +123,7 @@ jobs:
 
       - name: Publish Test Results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses]
         with:
           name: yetus-jdk17-hadoop3-unit-check-${{ matrix.name }}
           path: ${{ github.workspace }}/yetus-jdk17-hadoop3-unit-check/output