diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
new file mode 100644
index 0000000..ff21558
--- /dev/null
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,30 @@
+# Copilot Instructions
+
+This is a GitHub Action identifies and reports repositories with no activity for configurable amount of time, in order to surface inactive repos to be considered for archival.
+
+## Code Standards
+
+### Required Before Each Commit
+
+- Run `make lint` before committing any changes to ensure proper code linting and formatting.
+
+### Development Flow
+
+- Lint: `make lint`
+- Test: `make test`
+
+## Repository Structure
+
+- `Makefile`: Contains commands for linting, testing, and other tasks
+- `requirements.txt`: Python dependencies for the project
+- `requirements-test.txt`: Python dependencies for testing
+- `README.md`: Project documentation and setup instructions
+- `setup.py`: Python package setup configuration
+- `test_*.py`: Python test files matching the naming convention for test discovery
+
+## Key Guidelines
+
+1. Follow Python best practices and idiomatic patterns
+2. Maintain existing code structure and organization
+3. Write unit tests for new functionality.
+4. Document changes to environment variables in the `README.md` file.
diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml
new file mode 100644
index 0000000..d543fa9
--- /dev/null
+++ b/.github/linters/trivy.yaml
@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - .mypy_cache
diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml
new file mode 100644
index 0000000..9745a0a
--- /dev/null
+++ b/.github/linters/zizmor.yaml
@@ -0,0 +1,6 @@
+rules:
+  dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests
+    ignore:
+      - auto-labeler.yml
+      - pr-title.yml
+      - release.yml
diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml
index 051eff1..0fc577f 100644
--- a/.github/workflows/auto-labeler.yml
+++ b/.github/workflows/auto-labeler.yml
@@ -11,7 +11,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       config-name: release-drafter.yml
     secrets:
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
new file mode 100644
index 0000000..d33b8b6
--- /dev/null
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -0,0 +1,40 @@
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for easy validation, and
+# allow manual testing through the repository's "Actions" tab
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+# Set the permissions to the lowest permissions possible needed for your steps.
+# Copilot will be given its own token for its operations.
+permissions:
+  # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete.
+  contents: read
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # You can define any steps you want, and they will run before the agent starts.
+    # If you do not check out your code, Copilot will do this for you.
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v6.0.0
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt -r requirements-test.txt
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index edfd2e5..090affb 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -15,5 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64 --tag stale_repos:"$(date +%s)"
diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml
index 531a1aa..2273d76 100644
--- a/.github/workflows/linter.yaml
+++ b/.github/workflows/linter.yaml
@@ -23,12 +23,17 @@ jobs:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
+      - name: Setup Python
+        uses: actions/setup-python@v6.0.0
+        with:
+          python-version: "3.12"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt -r requirements-test.txt
       - name: Lint Code Base
-        uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6
+        uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6
         env:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/major-version-updater.yml b/.github/workflows/major-version-updater.yml
index d778770..e037a64 100644
--- a/.github/workflows/major-version-updater.yml
+++ b/.github/workflows/major-version-updater.yml
@@ -21,6 +21,7 @@ jobs:
         with:
           fetch-tags: true
           ref: ${{ github.event.inputs.TAG_NAME || github.ref }}
+          persist-credentials: false
       - name: version
         id: version
         run: |
@@ -30,5 +31,8 @@ jobs:
           { echo "tag=${tag}"; echo "version=${version}"; echo "major=${major}"; } >> "$GITHUB_OUTPUT"
       - name: force update major tag
         run: |
-          git tag -f v${{ steps.version.outputs.major }} ${{ steps.version.outputs.tag }}
-          git push -f origin v${{ steps.version.outputs.major }}
+          git tag -f v${STEPS_VERSION_OUTPUTS_MAJOR} ${STEPS_VERSION_OUTPUTS_TAG}
+          git push -f origin v${STEPS_VERSION_OUTPUTS_MAJOR}
+        env:
+          STEPS_VERSION_OUTPUTS_MAJOR: ${{ steps.version.outputs.major }}
+          STEPS_VERSION_OUTPUTS_TAG: ${{ steps.version.outputs.tag }}
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 77afc54..66d1da6 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -12,6 +12,6 @@ jobs:
       contents: read
       pull-requests: read
       statuses: write
-    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 0f95ae1..dc7fd47 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -20,8 +20,10 @@ jobs:
         python-version: [3.11, 3.12, 3.13]
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9aca14d..9206d79 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       publish: true
       release-config-name: release-drafter.yml
@@ -25,7 +25,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       image-name: ${{ github.repository_owner }}/stale_repos
       full-tag: ${{ needs.release.outputs.full-tag }}
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       discussions: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}
       body: ${{ needs.release.outputs.body }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 23c2e79..a67da4c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -42,6 +42,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/use-action.yml b/.github/workflows/use-action.yml
index c838986..c756339 100644
--- a/.github/workflows/use-action.yml
+++ b/.github/workflows/use-action.yml
@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - name: Run stale_repos tool
         uses: docker://ghcr.io/github/stale_repos:v3
         env:
diff --git a/Dockerfile b/Dockerfile
index 23fd630..c4445f8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,17 @@ COPY requirements.txt *.py /action/workspace/
 RUN python3 -m pip install --no-cache-dir -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/* \
+    && addgroup --system appuser \
+    && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \
+    && chown -R appuser:appuser /action/workspace
+
+# Run the action as a non-root user
+USER appuser
+
+# Add a simple healthcheck to satisfy container scanners
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/stale_repos.py') else 1)"
 
 CMD ["/action/workspace/stale_repos.py"]
 ENTRYPOINT ["python3", "-u"]