diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4971654..532e648 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,6 +16,7 @@ updates:
       - dependency-name: crazy-max/ghaction-dump-context
       - dependency-name: crazy-max/ghaction-github-labeler
       - dependency-name: crazy-max/ghaction-github-status
+      - dependency-name: GitHubSecurityLab/actions-permissions
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e7a60b2..15a004c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,10 +30,18 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -48,8 +56,15 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index e83bd41..0005147 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -4,8 +4,9 @@ name: sync-labels
 on:
   push:
     paths:
-      - '.github/labels.yml'
-      - '.github/workflows/sync-labels.yml'
+      - .github/labels.yml
+      - .github/workflows/sync-labels.yml
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -13,10 +14,18 @@ permissions:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -38,6 +47,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a8fc871..6f06acc 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -10,15 +10,19 @@ repos:
       - id: check-useless-excludes
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
       - id: check-json
       - id: check-merge-conflict
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
       - id: check-toml
+      - id: check-vcs-permalinks
       - id: check-xml
       - id: debug-statements
+      - id: destroyed-symlinks
       - id: detect-aws-credentials
         args:
           - --allow-missing-credentials
@@ -53,14 +57,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.29.2
+    rev: 0.29.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.8.0
+    rev: v4.0.1
     hooks:
       - id: validate_manifest
 
@@ -68,25 +72,25 @@ repos:
   - repo: https://github.com/TekWizely/pre-commit-golang
     rev: v1.0.0-rc.1
     hooks:
-      # Style Checkers
-      - id: go-critic
-      # StaticCheck
-      - id: go-staticcheck-repo-mod
       # Go Build
       - id: go-build-repo-mod
+      # Style Checkers
+      - id: go-critic
+      # goimports
+      - id: go-imports-repo
+        args:
+          # Write changes to files
+          - -w
       # Go Mod Tidy
       - id: go-mod-tidy-repo
+      # GoSec
+      - id: go-sec-repo-mod
+      # StaticCheck
+      - id: go-staticcheck-repo-mod
       # Go Test
       - id: go-test-repo-mod
       # Go Vet
       - id: go-vet-repo-mod
-      # GoSec
-      - id: go-sec-repo-mod
-      # goimports
-      - id: go-imports-repo
-        args:
-          # Write changes to files
-          - -w
   # Nix hooks
   - repo: https://github.com/nix-community/nixpkgs-fmt
     rev: v1.3.0
@@ -95,7 +99,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.9.0-1
+    rev: v3.10.0-1
     hooks:
       - id: shfmt
         args:
@@ -126,7 +130,7 @@ repos:
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.8.0
+    rev: 24.10.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -140,7 +144,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.11.2
+    rev: v1.13.0
     hooks:
       - id: mypy
   - repo: https://github.com/pypa/pip-audit
@@ -156,7 +160,7 @@ repos:
           - --requirement
           - requirements.txt
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.17.0
+    rev: v3.19.0
     hooks:
       - id: pyupgrade
 
@@ -200,7 +204,7 @@ repos:
 
   # Packer hooks
   - repo: https://github.com/cisagov/pre-commit-packer
-    rev: v0.1.0
+    rev: v0.3.0
     hooks:
-      - id: packer_validate
       - id: packer_fmt
+      - id: packer_validate
diff --git a/bash/.bash_greeter b/bash/.bash_greeter
old mode 100755
new mode 100644
index e08f1b7..b715d5e
--- a/bash/.bash_greeter
+++ b/bash/.bash_greeter
@@ -1,4 +1,3 @@
-#!/bin/bash
 # shellcheck disable=SC2034
 # Disabled SC2034 to allow colors not currently in use to remain
 
diff --git a/bash/.bash_logout b/bash/.bash_logout
index 2c92cf0..06f48a0 100644
--- a/bash/.bash_logout
+++ b/bash/.bash_logout
@@ -1,2 +1 @@
-#!/bin/bash
 echo END OF LINE
diff --git a/bash/.bash_profile b/bash/.bash_profile
index f72a58d..d20f58f 100644
--- a/bash/.bash_profile
+++ b/bash/.bash_profile
@@ -1,4 +1,4 @@
-#!/bin/bash
+# shellcheck shell=bash
 
 # Workaround to get macOS to use .bashrc
 if [[ "$OSTYPE" == "darwin"* ]] && [ -r "$HOME/.bashrc" ]; then
diff --git a/bash/.bashrc b/bash/.bashrc
index f245148..483d181 100644
--- a/bash/.bashrc
+++ b/bash/.bashrc
@@ -1,4 +1,4 @@
-#!/bin/bash
+# shellcheck shell=bash
 
 # If not running interactively, don't do anything
 [[ $- != *i* ]] && return
diff --git a/bash/.bashrc.d/aliases b/bash/.bashrc.d/aliases
old mode 100755
new mode 100644
index 84817a7..9cc1c05
--- a/bash/.bashrc.d/aliases
+++ b/bash/.bashrc.d/aliases
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 # Make some possibly destructive commands more interactive.
 if [ ${UID} -eq 0 ]; then
   alias rm='rm -i'
diff --git a/bash/.bashrc.d/aws b/bash/.bashrc.d/aws
old mode 100755
new mode 100644
index 29c6a30..a1f53ad
--- a/bash/.bashrc.d/aws
+++ b/bash/.bashrc.d/aws
@@ -1,3 +1 @@
-#!/bin/bash
-
 export AWS_PROFILE="cool-user"
diff --git a/bash/.bashrc.d/cyhy b/bash/.bashrc.d/cyhy
old mode 100755
new mode 100644
index b07c982..a767a28
--- a/bash/.bashrc.d/cyhy
+++ b/bash/.bashrc.d/cyhy
@@ -1,3 +1 @@
-#!/bin/bash
-
 export CYHY_CONF_DIR=/private/etc/cyhy
diff --git a/bash/.bashrc.d/gpg b/bash/.bashrc.d/gpg
old mode 100755
new mode 100644
index 105a345..a02dda8
--- a/bash/.bashrc.d/gpg
+++ b/bash/.bashrc.d/gpg
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 # From gpg-agent manpage
 GPG_TTY=$(tty)
 export GPG_TTY
diff --git a/bash/.bashrc.d/kerberos b/bash/.bashrc.d/kerberos
index eb5eed9..540537d 100644
--- a/bash/.bashrc.d/kerberos
+++ b/bash/.bashrc.d/kerberos
@@ -1,4 +1,2 @@
-#!/bin/bash
-
 # Load MIT Kerberos (installed via brew) before the default
 export PATH="/usr/local/opt/krb5/bin:/usr/local/opt/krb5/sbin:$PATH"
diff --git a/bash/.bashrc.d/pip b/bash/.bashrc.d/pip
old mode 100755
new mode 100644
index d0f9199..07193d6
--- a/bash/.bashrc.d/pip
+++ b/bash/.bashrc.d/pip
@@ -1,4 +1,2 @@
-#!/bin/bash
-
 # pip cache
 export PIP_DOWNLOAD_CACHE=$HOME/Library/Caches/pip-downloads
diff --git a/bash/.bashrc.d/prompt b/bash/.bashrc.d/prompt
old mode 100755
new mode 100644
index 07b934f..8e22251
--- a/bash/.bashrc.d/prompt
+++ b/bash/.bashrc.d/prompt
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 # Disable SC2034 to allow colors not currently in use to remain
 # shellcheck disable=SC2034
 BLUE=$(tput setaf 4)
diff --git a/bash/.bashrc.d/pyenv b/bash/.bashrc.d/pyenv
old mode 100755
new mode 100644
index 58fdd64..2c1fba1
--- a/bash/.bashrc.d/pyenv
+++ b/bash/.bashrc.d/pyenv
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 # Add pyenv to PATH
 export PATH="$PATH:$HOME/.pyenv/bin"
 
diff --git a/bash/.bashrc.d/rsync b/bash/.bashrc.d/rsync
old mode 100755
new mode 100644
index adc150d..c6ee3c0
--- a/bash/.bashrc.d/rsync
+++ b/bash/.bashrc.d/rsync
@@ -1,3 +1 @@
-#!/bin/bash
-
 export RSYNC_RSH=ssh
diff --git a/zsh/.p10k.zsh b/zsh/.p10k.zsh
index 287b25a..fd4e0f3 100644
--- a/zsh/.p10k.zsh
+++ b/zsh/.p10k.zsh
@@ -1,4 +1,3 @@
-#!/bin/zsh
 # Generated by Powerlevel10k configuration wizard on 2020-05-12 at 09:58 EDT.
 # Based on romkatv/powerlevel10k/config/p10k-lean.zsh, checksum 28636.
 # Wizard options: compatible, unicode, lean, 1 line, compact, fluent, transient_prompt,
diff --git a/zsh/.zshrc b/zsh/.zshrc
index acec42c..02850cf 100644
--- a/zsh/.zshrc
+++ b/zsh/.zshrc
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Enable Powerlevel10k instant prompt. Should stay close to the top of ~/.zshrc.
 # Initialization code that may require console input (password prompts, [y/n]
 # confirmations, etc.) must go above this block; everything else may go below.
diff --git a/zsh/.zshrc.d/aliases b/zsh/.zshrc.d/aliases
old mode 100755
new mode 100644
index c054f4d..e79c064
--- a/zsh/.zshrc.d/aliases
+++ b/zsh/.zshrc.d/aliases
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Make some possibly destructive commands more interactive.
 if [ ${UID} -eq 0 ]; then
   alias rm='rm -i'
diff --git a/zsh/.zshrc.d/aws b/zsh/.zshrc.d/aws
old mode 100755
new mode 100644
index c1db081..a1f53ad
--- a/zsh/.zshrc.d/aws
+++ b/zsh/.zshrc.d/aws
@@ -1,3 +1 @@
-#!/bin/zsh
-
 export AWS_PROFILE="cool-user"
diff --git a/zsh/.zshrc.d/cyhy b/zsh/.zshrc.d/cyhy
old mode 100755
new mode 100644
index 735ca9d..63e37c4
--- a/zsh/.zshrc.d/cyhy
+++ b/zsh/.zshrc.d/cyhy
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Set up CyHy docker environment variables
 export CYHY_CONF_DIR=/private/etc/cyhy
 export CYHY_CORE_IMAGE=ncats/cyhy-core
diff --git a/zsh/.zshrc.d/gnu-sed b/zsh/.zshrc.d/gnu-sed
index 8fbfed6..7982a49 100644
--- a/zsh/.zshrc.d/gnu-sed
+++ b/zsh/.zshrc.d/gnu-sed
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Make it so gnu-sed replaces the MacOS version of sed
 # If not installed, brew install gnu-sed first
 
diff --git a/zsh/.zshrc.d/gpg b/zsh/.zshrc.d/gpg
old mode 100755
new mode 100644
index c0c792c..a02dda8
--- a/zsh/.zshrc.d/gpg
+++ b/zsh/.zshrc.d/gpg
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # From gpg-agent manpage
 GPG_TTY=$(tty)
 export GPG_TTY
diff --git a/zsh/.zshrc.d/kerberos b/zsh/.zshrc.d/kerberos
index cdb50eb..540537d 100644
--- a/zsh/.zshrc.d/kerberos
+++ b/zsh/.zshrc.d/kerberos
@@ -1,4 +1,2 @@
-#!/bin/zsh
-
 # Load MIT Kerberos (installed via brew) before the default
 export PATH="/usr/local/opt/krb5/bin:/usr/local/opt/krb5/sbin:$PATH"
diff --git a/zsh/.zshrc.d/nvm b/zsh/.zshrc.d/nvm
index 91a1751..c7b54aa 100644
--- a/zsh/.zshrc.d/nvm
+++ b/zsh/.zshrc.d/nvm
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Set up node/NVM
 export NVM_DIR="$HOME/.nvm"
 [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
diff --git a/zsh/.zshrc.d/pip b/zsh/.zshrc.d/pip
old mode 100755
new mode 100644
index 8853493..905c517
--- a/zsh/.zshrc.d/pip
+++ b/zsh/.zshrc.d/pip
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Set pip cache
 export PIP_DOWNLOAD_CACHE=$HOME/Library/Caches/pip-downloads
 
diff --git a/zsh/.zshrc.d/prompt b/zsh/.zshrc.d/prompt
old mode 100755
new mode 100644
index b6e002e..f9c25ae
--- a/zsh/.zshrc.d/prompt
+++ b/zsh/.zshrc.d/prompt
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 BLUE=$(tput setaf 4)
 BRIGHT_GREEN=$(tput setaf 10)
 BRIGHT_RED=$(tput setaf 196)
diff --git a/zsh/.zshrc.d/pyenv b/zsh/.zshrc.d/pyenv
old mode 100755
new mode 100644
index 2ae698e..793e407
--- a/zsh/.zshrc.d/pyenv
+++ b/zsh/.zshrc.d/pyenv
@@ -1,5 +1,3 @@
-#!/bin/zsh
-
 # Add pyenv to PATH
 export PATH="$PATH:$HOME/.pyenv/bin"
 
diff --git a/zsh/.zshrc.d/rsync b/zsh/.zshrc.d/rsync
old mode 100755
new mode 100644
index 9fa0d75..c6ee3c0
--- a/zsh/.zshrc.d/rsync
+++ b/zsh/.zshrc.d/rsync
@@ -1,3 +1 @@
-#!/bin/zsh
-
 export RSYNC_RSH=ssh