diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000000..ca0e19b737
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,10 @@
+rules:
+  # TODO(charlie): Move these workflows to use dedicated GitHub environments.
+  secrets-outside-env:
+    ignore:
+      - notify-dependents.yml
+      - publish-docs.yml
+      - publish-playground.yml
+      - publish-ty-playground.yml
+      - publish-versions.yml
+      - publish-wasm.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 08ca5a502a..c018ea961b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -71,7 +71,7 @@ repos:
   # zizmor detects security vulnerabilities in GitHub Actions workflows.
   # Additional configuration for the tool is found in `.github/zizmor.yml`
   - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.22.0
+    rev: v1.23.1
     hooks:
       - id: zizmor
         priority: 0
@@ -104,7 +104,7 @@ repos:
         priority: 0
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.4
+    rev: v0.15.5
     hooks:
       - id: ruff-format
         exclude: crates/ty_python_semantic/resources/corpus/
@@ -118,7 +118,7 @@ repos:
 
   # Priority 1: Second-pass fixers (e.g., markdownlint-fix runs after mdformat).
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.47.0
+    rev: v0.48.0
     hooks:
       - id: markdownlint-fix
         exclude: |
@@ -130,7 +130,7 @@ repos:
 
   # Priority 2: ruffen-docs runs after markdownlint-fix (both modify markdown).
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.4
+    rev: v0.15.5
     hooks:
       - id: ruff-format
         name: mdtest format