diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index fdb6eba..e1bc5c1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,3 +13,5 @@ updates:
       prefix: "[ci]"
     labels:
       - maintenance
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index a74a075..39bc06a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -3,20 +3,32 @@ name: Continuous Integration
 # always run CI on new commits to any branch
 on: push
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 jobs:
   lint:
     name: lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
-      - uses: pre-commit/action@v3.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
   all-successful:
     if: always()
     runs-on: ubuntu-latest
     needs:
       - lint
+    permissions:
+      statuses: read
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@v1.2.2
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bff4e53..baef2ee 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.2
+    rev: v0.15.9
     hooks:
       - id: ruff-check
         args: ["--config", "pyproject.toml", "--fix"]
@@ -28,3 +28,7 @@ repos:
     rev: v1.38.0
     hooks:
       - id: yamllint
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
diff --git a/README.md b/README.md
index b72a8ed..475ca2c 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ Click the "title" links below for links to slides, code, and other background in
 | ["People Shape Software"][9]                                                              |                   [satRdays Chicago (Apr 2019)][10]                    |
 | ["Prefect in 5 Minutes"][28]                                                              |                    [ChiPy Data SIG (May 2021)][31]                     |
 | ["Proliferation of New Database Technologies <br>and Implications for Data Science"][11]  |              [Domino Data Science Pop-Up (Oct 2017)][12]               |
+| ["pydistcheck: detect portability issues in Python package distributions][48] | [SciPy 2025][49] |
 | ["R From the Command Line"][23]                                                           |                      [LA R Users (Mar 2021)][24]                       |
 | ["Recent Developments in LightGBM"][19]                                                   |                [LA Data Science Meetup (Jan 2021)][20]                 |
 | ["Road to a Data Science Career"][3]                                                      |                  [iRisk Lab Hack Night (Aug 2020)][4]                  |
@@ -96,3 +97,5 @@ Click the "title" links below for links to slides, code, and other background in
 [45]: https://mlops.community/james-lamb-machine-learning-engineer/
 [46]: https://onceamaintainer.substack.com/p/once-a-maintainer-james-lamb
 [47]: ./those-tables-were-empty
+[48]: ./pydistcheck-a-portability-linter/
+[49]: https://youtu.be/Q1fDDprEDS8?si=ER5i04KBhhvUgKSg&t=2101
diff --git a/people-shape-software/src/repos/feather b/people-shape-software/src/repos/feather
deleted file mode 160000
index 99267b3..0000000
--- a/people-shape-software/src/repos/feather
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 99267b30461c46b9e437f95e1d9338a92a854270
diff --git a/people-shape-software/src/repos/xgboost b/people-shape-software/src/repos/xgboost
deleted file mode 160000
index 65db8d0..0000000
--- a/people-shape-software/src/repos/xgboost
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 65db8d0626c0324535f09b0502f2e2a49103dae9
diff --git a/pydistcheck-a-portability-linter/README.md b/pydistcheck-a-portability-linter/README.md
new file mode 100644
index 0000000..03c15de
--- /dev/null
+++ b/pydistcheck-a-portability-linter/README.md
@@ -0,0 +1,9 @@
+# pydistcheck: detect portability issues in Python package distributions
+
+Lightning talk about `pydistcheck`, the CLI I wrote to help find portability issues in software distributions (especially Python pcakages, including wheels, sdists, and conda packages).
+
+See https://github.com/jameslamb/pydistcheck
+
+## Where this talk has been given
+
+* [SciPy 2025 - lightgbming talks](https://www.scipy2025.scipy.org/), July 2025 ([video](https://youtu.be/Q1fDDprEDS8?si=ER5i04KBhhvUgKSg&t=2101) | [slides](https://docs.google.com/presentation/d/1K4pFlT5TQQhG5tEwR2Kh3tYKtU7bOGLSLIXr6AcrKqI/edit?usp=sharing))
diff --git a/setup.cfg b/setup.cfg
deleted file mode 100644
index 287c555..0000000
--- a/setup.cfg
+++ /dev/null
@@ -1,11 +0,0 @@
-[flake8]
-max-line-length = 100
-ignore =
-    # module level import not at top of file
-    E402,
-    # line too long
-    E501,
-    # do not use bare except
-    E722,
-    # do not assign a lambda expression
-    E731