diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 772a9742..d130504b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,6 +11,8 @@ updates:
       pip:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
@@ -23,3 +25,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a9bf51c1..73eef87b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,5 +44,5 @@ jobs:
         if: always()
         with:
           token: ${{ secrets.CODECOV_ORG_TOKEN }}
-          file: ./coverage.xml
+          files: ./coverage.xml
           flags: Python_${{ steps.python-install.outputs.python-version }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0cc45787..efe6e275 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,12 +2,11 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
-
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -16,7 +15,4 @@ jobs:
       - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v6
-        with:
-          python-version: "3.x"
-      - uses: tox-dev/action-pre-commit-uv@v1
+      - uses: j178/prek-action@v1
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..10002656
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+# https://docs.zizmor.sh/configuration/
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 70470385..fc439616 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,24 +1,50 @@
 repos:
-  - repo: https://github.com/psf/black
-    rev: 23.9.1
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 25.12.0
     hooks:
       - id: black
 
   - repo: https://github.com/PyCQA/isort
-    rev: 5.12.0
+    rev: 7.0.0
     hooks:
       - id: isort
         files: \.py$
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v6.0.0
     hooks:
       - id: check-builtin-literals
       - id: check-added-large-files
       - id: check-case-conflict
-      - id: check-toml
       - id: check-yaml
       - id: debug-statements
       - id: end-of-file-fixer
-      - id: forbid-new-submodules
+      - id: forbid-submodules
+      - id: requirements-txt-fixer
       - id: trailing-whitespace
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.36.0
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.10
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.19.0
+    hooks:
+      - id: zizmor
+
+  - repo: https://github.com/tox-dev/tox-ini-fmt
+    rev: 1.7.1
+    hooks:
+      - id: tox-ini-fmt
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
diff --git a/bedevere/backport.py b/bedevere/backport.py
index 6dede2d0..968ab6ea 100644
--- a/bedevere/backport.py
+++ b/bedevere/backport.py
@@ -1,4 +1,5 @@
 """Automatically remove a backport label, and check backport PR validity."""
+
 import functools
 import re
 
diff --git a/bedevere/close_pr.py b/bedevere/close_pr.py
index a05c856b..c9b6a7f9 100644
--- a/bedevere/close_pr.py
+++ b/bedevere/close_pr.py
@@ -1,4 +1,5 @@
 """Automatically close PR that tries to merge maintenance branch into main."""
+
 import re
 
 import gidgethub.routing
diff --git a/bedevere/filepaths.py b/bedevere/filepaths.py
index 02dd3fad..72df27d9 100644
--- a/bedevere/filepaths.py
+++ b/bedevere/filepaths.py
@@ -1,4 +1,5 @@
 """Checks related to filepaths on a pull request."""
+
 import gidgethub.routing
 
 from . import news, prtype, util
diff --git a/bedevere/gh_issue.py b/bedevere/gh_issue.py
index 46dc1b20..9614ae53 100644
--- a/bedevere/gh_issue.py
+++ b/bedevere/gh_issue.py
@@ -1,4 +1,5 @@
 """Check if a GitHub issue number is specified in the pull request's title."""
+
 import re
 from typing import Literal
 
diff --git a/bedevere/news.py b/bedevere/news.py
index 6088af34..576452ab 100644
--- a/bedevere/news.py
+++ b/bedevere/news.py
@@ -1,4 +1,5 @@
 """Check for a news entry."""
+
 import functools
 import pathlib
 import re
diff --git a/bedevere/prtype.py b/bedevere/prtype.py
index 5136c74a..64e97520 100644
--- a/bedevere/prtype.py
+++ b/bedevere/prtype.py
@@ -1,4 +1,5 @@
 """Label a pull request based on its type."""
+
 import enum
 import pathlib
 
diff --git a/dev-requirements.txt b/dev-requirements.txt
index 3a7f06ea..1a6a940b 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -1,6 +1,6 @@
 -r requirements.txt
 asynctest==0.13.0
 pytest==9.0.2
-pytest-asyncio==1.3.0
 pytest-aiohttp==1.1.0
+pytest-asyncio==1.3.0
 pytest-cov==7.0.0
diff --git a/requirements.txt b/requirements.txt
index 90cb5186..23099c89 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,7 +7,7 @@ gidgethub==5.4.0
 multidict==6.7.0
 packaging==25.0
 pyparsing==3.3.1
+sentry-sdk==2.48.0
 six==1.17.0
 uritemplate==4.2.0
 yarl==1.22.0
-sentry-sdk==2.48.0
diff --git a/tox.ini b/tox.ini
index a266c2eb..640915e4 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,12 +1,14 @@
 [tox]
-envlist = py{314, 313, 312, 311, 310}
-toxworkdir={env:TOX_WORK_DIR:.tox}
+requires =
+    tox>=4.2
+env_list =
+    py{314, 313, 312, 311, 310}
 
 [testenv]
-passenv =
-    FORCE_COLOR
-skip_install = True
+skip_install = true
 deps =
-	-r dev-requirements.txt
+    -r dev-requirements.txt
+pass_env =
+    FORCE_COLOR
 commands =
-	pytest {posargs}
+    pytest {posargs}