diff --git a/.github/actions/setup-zizmor-config/action.yml b/.github/actions/setup-zizmor-config/action.yml
index f50e014..54266b1 100644
--- a/.github/actions/setup-zizmor-config/action.yml
+++ b/.github/actions/setup-zizmor-config/action.yml
@@ -6,13 +6,20 @@ runs:
     - name: Ensure default zizmor.yml
       shell: bash
       run: |
-        if [ ! -f zizmor.yml ]; then
+        # Create zizmor config if missing
+        if [[ ! -f zizmor.yml ]]; then
           echo "Creating a custom zizmor.yml configuration file for CI..."
-          cat > zizmor.yml << 'EOF'
-        rules:
-          dependabot-cooldown:
-            disable: true
-        EOF
-        else
-          echo "⊘ Found existing zizmor.yml configuration file"
+          echo $'rules:\n' > zizmor.yml
         fi
+
+        # Patch (merge) with extra config
+        echo "Patching zizmor.yml configuration file for CI..."
+        yq -i '
+          .rules |= (. // {}) |
+          .rules."dependabot-cooldown" |= (. // {}) |
+          .rules."dependabot-cooldown".disable |= true |
+          .rules."unpinned-uses" |= (. // {}) |
+          .rules."unpinned-uses".config |= (. // {}) |
+          .rules."unpinned-uses".config.policies |= (. // {}) |
+          .rules."unpinned-uses".config.policies."MiraGeoscience/*" |= "ref-pin"
+        ' zizmor.yml