diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index ae40cdf..d2cf6f3 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -8,9 +8,6 @@ on:
 jobs:
   check:
     runs-on: macos-latest
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - uses: actions/checkout@v4
       # - uses: DeterminateSystems/flake-checker-action@v4
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index aca3a91..ae9ce90 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -8,8 +8,7 @@ jobs:
   update:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      contents: read
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v27
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c2c453e..89b91e3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -4,12 +4,54 @@ repos:
     hooks:
       - id: pre-commit-update
 
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      # whitespace
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext, md]
+
+        # files
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: destroyed-symlinks
+      - id: fix-byte-order-marker
+
+        # git
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-vcs-permalinks
+      - id: no-commit-to-branch
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.23.3
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+      - id: actionlint
+
   - repo: https://github.com/astro/deadnix
     rev: v1.3.0
     hooks:
       - id: deadnix
         language: rust
 
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker
+
+  - repo: https://github.com/markdownlint/markdownlint
+    rev: v0.13.0
+    hooks:
+      - id: markdownlint
+
   - repo: https://github.com/ComPWA/taplo-pre-commit
     rev: v0.9.3
     hooks:
diff --git a/biome.json b/biome.json
new file mode 100644
index 0000000..5d4a88f
--- /dev/null
+++ b/biome.json
@@ -0,0 +1,5 @@
+{
+  "formatter": {
+    "indentStyle": "space"
+  }
+}
diff --git a/chezmoi/private_dot_config/zsh/dot_p10k.zsh b/chezmoi/private_dot_config/zsh/dot_p10k.zsh
index d2abff8..2520ae1 100644
--- a/chezmoi/private_dot_config/zsh/dot_p10k.zsh
+++ b/chezmoi/private_dot_config/zsh/dot_p10k.zsh
@@ -727,7 +727,7 @@
   typeset -g POWERLEVEL9K_RANGER_FOREGROUND=178
   # Custom icon.
   # typeset -g POWERLEVEL9K_RANGER_VISUAL_IDENTIFIER_EXPANSION='⭐'
-  
+
   ####################[ yazi: yazi shell (https://github.com/sxyazi/yazi) ]#####################
   # Yazi shell color.
   typeset -g POWERLEVEL9K_YAZI_FOREGROUND=178
diff --git a/modules/flake-parts/git-hooks.nix b/modules/flake-parts/git-hooks.nix
index 24ab7c0..8fbff5b 100644
--- a/modules/flake-parts/git-hooks.nix
+++ b/modules/flake-parts/git-hooks.nix
@@ -4,11 +4,16 @@
 
   perSystem = _: {
     pre-commit.settings.hooks = {
+      actionlint.enable = true;
+      biome.enable = true;
       deadnix.enable = true;
       editorconfig-checker.enable = true;
+      hadolint.enable = true;
+      markdownlint.enable = true;
       nixfmt-rfc-style.enable = true;
       statix.enable = true;
       taplo.enable = true;
+      trufflehog.enable = true;
       yamlfmt.enable = true;
     };
   };
diff --git a/modules/flake-parts/treefmt.nix b/modules/flake-parts/treefmt.nix
index d8bf609..96a9e09 100644
--- a/modules/flake-parts/treefmt.nix
+++ b/modules/flake-parts/treefmt.nix
@@ -5,6 +5,7 @@
   perSystem = _: {
     treefmt = {
       programs = {
+        biome.enable = true;
         deadnix.enable = true;
         prettier.enable = true;
         nixfmt.enable = true;
diff --git a/modules/home/apps.nix b/modules/home/apps.nix
index 60cafea..eaeecee 100644
--- a/modules/home/apps.nix
+++ b/modules/home/apps.nix
@@ -14,13 +14,18 @@ inputs@{ pkgs, ... }:
 
     # dev
     ansible
+    cabal-install
     devbox
     direnv
     git
     gh
+    ghc
+    go
     mise
     ollama
     process-compose
+    python3
+    ruby
     rustup
     terraform
     terragrunt
diff --git a/modules/home/zsh.nix b/modules/home/zsh.nix
index 80e5c36..484c7e8 100644
--- a/modules/home/zsh.nix
+++ b/modules/home/zsh.nix
@@ -56,7 +56,7 @@
     #     src = "${zsh-fast-syntax-highlighting}/share/zsh/site-functions";
     #   }
     #   {
-    #     # after syntax-highting
+    #     # after syntax-highlighting
     #     name = "zsh-history-substring-search";
     #     src = "${zsh-history-substring-search}/share/zsh-history-substring-search";
     #     file = "zsh-history-substring-search.zsh";