diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index a692e0a..5228136 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,14 +1,7 @@
 name: Lint
 
 on:
-  workflow_call:
-    inputs:
-      head-ref:
-        required: true
-        type: string
-    secrets:
-      GITHUB_TOKEN:
-        required: true
+  workflow_call: {}
 
 permissions: {}
 
@@ -24,7 +17,15 @@ jobs:
       - name: Check out Git repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ inputs.head-ref }}
+          # When the caller triggers on pull_request_target, we need to pass in this ref
+          # in order to lint the code from the feature branch. If the caller triggers on
+          # pull_request, passing in this ref isn't necessary, but does no harm.
+          ref: ${{ format('refs/pull/{0}/merge', github.event.number) }}
+          # Fetch full history so Trunk can compute the PR diff against the base branch.
+          # The default (fetch-depth: 1) is a shallow clone with no merge-base, which
+          # would force Trunk to fetch on the fly — and that fetch would fail because
+          # persist-credentials: false strips the token after the initial checkout.
+          fetch-depth: 0
           persist-credentials: false
       - name: Trunk Check
         uses: trunk-io/trunk-action@04ba50e7658c81db7356da96657e6e77f220bfa3 # v1.3.1
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
index 936a2b7..3938f8b 100644
--- a/.github/workflows/release-please.yaml
+++ b/.github/workflows/release-please.yaml
@@ -24,13 +24,16 @@ jobs:
       issues: write # needed by release-please-action to write issues
     steps:
       - name: Create Token for MasterpointBot App
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 #v3.2.0
         id: generate-token
         with:
           app-id: ${{ secrets.MP_BOT_APP_ID }}
           private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+          permission-issues: write
 
-      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 #v5.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           release-type: ${{ inputs.release-type }}
diff --git a/.github/workflows/tf-test.yaml b/.github/workflows/tf-test.yaml
index 317e44b..bb67c64 100644
--- a/.github/workflows/tf-test.yaml
+++ b/.github/workflows/tf-test.yaml
@@ -13,8 +13,6 @@ on:
         required: true
       SPACELIFT_API_KEY_SECRET:
         required: true
-      GITHUB_TOKEN:
-        required: true
 
 permissions: {}
 
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
deleted file mode 100644
index 35199ab..0000000
--- a/.github/workflows/zizmor.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-name: Zizmor
-
-on:
-  workflow_call: {}
-
-permissions: {}
-
-jobs:
-  zizmor:
-    name: zizmor
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
-        with:
-          # Set to false, so zizmor will not upload results to Github Advanced Security
-          # and will instead print them to the Action's run log.
-          advanced-security: false
-          # Set to pedantic so that zizmor will run it's stale-action-refs audit rule
-          persona: pedantic