diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5458033e33..b661f73157 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,3 +13,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ab28a9a354..606e6322f5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -54,6 +54,7 @@ jobs:
               uses: actions/checkout@v5
               with:
                 fetch-depth: 10
+                persist-credentials: false
 
             - name: Install calibre dependencies
               run: setup/arch-ci.sh
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b51246787d..d061587141 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,6 +42,7 @@ jobs:
               # We must fetch at least the immediate parents so that if this is
               # a pull request then we can checkout the head.
               fetch-depth: 2
+              persist-credentials: false
 
         # Initializes the CodeQL tools for scanning.
         - name: Initialize CodeQL