diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2fc896980..d3693f0dc 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,6 +8,8 @@ updates:
       interval: "weekly"
       day: "monday"
     open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for poetry
   - package-ecosystem: "pip"
@@ -15,4 +17,6 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
-    open-pull-requests-limit: 4
\ No newline at end of file
+    open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml
index 157e32fb5..daf803866 100644
--- a/.github/workflows/dependency-update.yml
+++ b/.github/workflows/dependency-update.yml
@@ -120,7 +120,7 @@ jobs:
       - name: Report New Pull Request to Slack Channel
         id: report-pr-slack
         if: ${{ steps.create-pr.outputs.pr_url }}
-        uses: ravsamhq/notify-slack-action@v2
+        uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0
         with:
           status: '${{ job.status }}'
           token: '${{ secrets.GITHUB_TOKEN }}'
diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml
index b99aaeeb3..0c8dfca7f 100644
--- a/.github/workflows/fast-tests-extension.yml
+++ b/.github/workflows/fast-tests-extension.yml
@@ -13,6 +13,8 @@ jobs:
       - name: Check out Repository
         id: check-out-repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
@@ -24,3 +26,21 @@ jobs:
       - name: Lint Imports
         id: lint-imports
         run: poetry run -- nox -s lint:import
+
+  # This will be moved to a standard check in the checks.yml in:
+  #  https://github.com/exasol/python-toolbox/issues/811
+  lint-github-actions:
+    name: Lint GitHub Actions
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Lint GitHub actions with Zizmor
+        id: lint-github-actions
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index dceb9c487..2c0c465ca 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Upload Artifact
         id: upload-artifact
-        uses: actions/upload-pages-artifact@v5.0.0
+        uses: actions/upload-pages-artifact@v5
         with:
           path: html-documentation
 
diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml
index 8c4cd585f..b1d7f905e 100644
--- a/.github/workflows/slow-checks.yml
+++ b/.github/workflows/slow-checks.yml
@@ -26,6 +26,8 @@ jobs:
       - name: Check out Repository
         id: check-out-repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 000000000..6a6e5fd3c
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,15 @@
+rules:
+  github-env:
+    disable: true
+  secrets-inherit:
+    disable: true
+  template-injection:
+    disable: true
+  unpinned-uses:
+    config:
+      policies:
+        "actions/*": ref-pin
+        exasol/python-toolbox/.github/actions/python-environment: ref-pin
+        "*": hash-pin
+  use-trusted-publishing:
+    disable: true
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
index 9f9516f0c..6bc5dd92f 100644
--- a/doc/changes/unreleased.md
+++ b/doc/changes/unreleased.md
@@ -6,3 +6,4 @@
 ## Feature
 
 * #730: Added support to extend GitHub workflow `cd.yml`
+* #864: Modified PTB workflow templates to not persist credentials and to use pinned SHAs
\ No newline at end of file
diff --git a/exasol/toolbox/templates/github/dependabot.yml b/exasol/toolbox/templates/github/dependabot.yml
index e9373b46e..d3693f0dc 100644
--- a/exasol/toolbox/templates/github/dependabot.yml
+++ b/exasol/toolbox/templates/github/dependabot.yml
@@ -8,6 +8,8 @@ updates:
       interval: "weekly"
       day: "monday"
     open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for poetry
   - package-ecosystem: "pip"
@@ -16,3 +18,5 @@ updates:
       interval: "weekly"
       day: "monday"
     open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7
diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml
index f24573f54..a620b9b21 100644
--- a/exasol/toolbox/templates/github/workflows/dependency-update.yml
+++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml
@@ -119,7 +119,7 @@ jobs:
       - name: Report New Pull Request to Slack Channel
         id: report-pr-slack
         if: ${{ steps.create-pr.outputs.pr_url }}
-        uses: ravsamhq/notify-slack-action@v2
+        uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0
         with:
           status: '${{ job.status }}'
           token: '${{ secrets.GITHUB_TOKEN }}'
diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml
index e7ef3210a..17fdbdbf3 100644
--- a/exasol/toolbox/templates/github/workflows/gh-pages.yml
+++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml
@@ -34,7 +34,7 @@ jobs:
 
       - name: Upload Artifact
         id: upload-artifact
-        uses: actions/upload-pages-artifact@v5.0.0
+        uses: actions/upload-pages-artifact@v5
         with:
           path: html-documentation
 
diff --git a/poetry.lock b/poetry.lock
index fc191d526..2e052025a 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.3.0 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.4.1 and should not be changed by hand.
 
 [[package]]
 name = "accessible-pygments"
@@ -2649,8 +2649,8 @@ astroid = ">=4.0.2,<=4.1.dev0"
 colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""}
 dill = [
     {version = ">=0.2", markers = "python_version < \"3.11\""},
-    {version = ">=0.3.7", markers = "python_version >= \"3.12\""},
     {version = ">=0.3.6", markers = "python_version == \"3.11\""},
+    {version = ">=0.3.7", markers = "python_version >= \"3.12\""},
 ]
 isort = ">=5,<5.13 || >5.13,<9"
 mccabe = ">=0.6,<0.8"
@@ -4062,7 +4062,28 @@ enabler = ["pytest-enabler (>=3.4)"]
 test = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more_itertools", "pytest (>=6,!=8.1.*)", "pytest-ignore-flaky"]
 type = ["pytest-mypy (>=1.0.1) ; platform_python_implementation != \"PyPy\""]
 
+[[package]]
+name = "zizmor"
+version = "1.25.2"
+description = "Static analysis for GitHub Actions"
+optional = false
+python-versions = ">=3.10"
+groups = ["main"]
+files = [
+    {file = "zizmor-1.25.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:17cc8cfd9d472e8b11945a869c198d25cfdf4a33f36fa7a1f9674099f5fb509d"},
+    {file = "zizmor-1.25.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d3e301eb4465e2da77857cf01ab4ef0184cf3818e826800b270ab01ae7338977"},
+    {file = "zizmor-1.25.2-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:cf64374149b567c9373228b76c8e77a389b4071899f84b82c36ee50fab894e79"},
+    {file = "zizmor-1.25.2-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:0beba1601be08bd00c9277e6ed4b026e125b26b379d86d6d98eb708409b3050d"},
+    {file = "zizmor-1.25.2-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:c4246f1344d8dbeffc044d7bb11b131773a7db7eb57d9073c45942dfd3543a1f"},
+    {file = "zizmor-1.25.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:dbb1b5c85b8de8eaa0227c6620f06c8e4fbd0a4da2086e218bc225c0bef0923d"},
+    {file = "zizmor-1.25.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d670a1e2f00b3cd56febd145bc1a0b2c4caf1cbe5dad8128721843fa877e2d2e"},
+    {file = "zizmor-1.25.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b75c84d7387389f95edadbe859fb2aaf0a360c5b080932cc53e92ae1db6f09ef"},
+    {file = "zizmor-1.25.2-py3-none-win32.whl", hash = "sha256:aa9f4c43b499c55339c3ef2e885133c5017cd9a18d76d9335541203cfa5ae1e7"},
+    {file = "zizmor-1.25.2-py3-none-win_amd64.whl", hash = "sha256:af55bd9bd119ea8cbce2a7addc3922503019de32c1fe31106d70b3dc77d77908"},
+    {file = "zizmor-1.25.2.tar.gz", hash = "sha256:f26ffeb16659c8922c7b08203ca5a4f8bf5e1a7e8d190734961c40877cf778ea"},
+]
+
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10,<4.0"
-content-hash = "3d5c07aeaab839a92ec06e66addd20d634864518ef66d76623d08d5eaae6817b"
+content-hash = "a0c2776376a043679e656b301d640e4b13835be4910ee122da54fd8ef37ed85f"
diff --git a/pyproject.toml b/pyproject.toml
index 4dbc06d44..569c72ee3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -59,6 +59,7 @@ dependencies = [
     "structlog (>=25.5.0,<26.0.0)",
     "typer[all]>=0.7.0",
     "twine>=6.1.0,<7",
+    "zizmor (>=1.25.2,<2.0.0)",
 ]
 
 [project.scripts]