diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 258309b519b..48bbde072ed 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -141,7 +141,12 @@ jobs:
 
       - name: Install dependencies
         uses: ./.github/actions/install-linux-deps
-        with: ${{ matrix.dependencies || fromJSON('{}') }}
+        # zizmor has an issue with dynamic `with`
+        # with: ${{ matrix.dependencies || fromJSON('{}') }}
+        with:
+          gcc-multilib: ${{ matrix.dependencies.gcc-multilib || false }}
+          musl-tools: ${{ matrix.dependencies.musl-tools || false }}
+          gcc-aarch64-linux-gnu: ${{ matrix.dependencies.gcc-aarch64-linux-gnu || false }}
 
       - uses: dtolnay/rust-toolchain@stable
         with:
@@ -571,3 +576,15 @@ jobs:
       - run: cargo binstall --no-confirm cargo-shear
 
       - run: cargo shear
+
+  security-lint:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2