diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 9ffd07d98..0be663232 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -16,10 +16,10 @@ permissions: {}
 jobs:
   zizmor:
     name: Check GitHub Actions security
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -28,7 +28,5 @@ jobs:
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 # v0.5.5
         with:
-          # Using false as a code scanning ruleset would block the release
-          # workflow which creates a new commit and pushes directly to main.
-          advanced-security: false
-          min-severity: medium
+          advanced-security: ${{ github.event_name == 'push' && 'true' || 'false' }}
+          min-severity: low