diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
index cbe110eb..48f09d85 100644
--- a/.github/workflows/mega-linter.yml
+++ b/.github/workflows/mega-linter.yml
@@ -37,13 +37,14 @@ jobs:
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
           fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
+          persist-credentials: false
 
       # MegaLinter
       - name: MegaLinter
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter@v9.4.0
+        uses: oxsecurity/megalinter@v9.5.0
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/
@@ -66,7 +67,7 @@ jobs:
       - name: Print PR condition
         run: |
           # Print the condition
-          echo "(${{ env.APPLY_FIXES_EVENT }} == 'all' || ${{ env.APPLY_FIXES_EVENT }} == ${{ github.event_name }}) && ${{ env.APPLY_FIXES_MODE }} == 'pull_request' && (${{ github.event_name }} == 'push' || ${{ github.event.pull_request.head.repo.full_name }} == ${{ github.repository }})"
+          echo "(${APPLY_FIXES_EVENT} == 'all' || ${APPLY_FIXES_EVENT} == ${{ github.event_name }}) && ${APPLY_FIXES_MODE} == 'pull_request' && (${{ github.event_name }} == 'push' || ${{ github.event.pull_request.head.repo.full_name }} == ${{ github.repository }})"
       - name: Create Pull Request with applied fixes
         id: cpr
         if: (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
diff --git a/.mega-linter.yml b/.mega-linter.yml
index dca1d8c4..7203b629 100644
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -27,7 +27,7 @@ DISABLE_ERRORS_LINTERS: # If errors are found by these linters, they will be con
   - PYTHON_BANDIT # The bandit check is overly broad and complains about subprocess usage.
 SHOW_ELAPSED_TIME: true
 FILEIO_REPORTER: false
-GITHUB_COMMENT_REPORTER: false
+GITHUB_COMMENT_REPORTER: true
 UPDATED_SOURCES_REPORTER: true
 PRINT_ALPACA: false # Don't print ASCII alpaca in the log
 PRINT_ALL_FILES: true # Print all processed files
@@ -38,3 +38,4 @@ PYTHON_RUFF_CONFIG_FILE: pyproject.toml
 CPP_CPPLINT_FILE_EXTENSIONS: [".C", ".c", ".c++", ".cc", ".cl", ".cpp", ".cu", ".cuh", ".cxx", ".cxx.in", ".h", ".h++", ".hh", ".h.in", ".hpp", ".hxx", ".inc", ".inl", ".macro"]
 CPP_CLANG_FORMAT_FILE_EXTENSIONS: [".C", ".c", ".c++", ".cc", ".cl", ".cpp", ".cu", ".cuh", ".cxx", ".cxx.in", ".h", ".h++", ".hh", ".h.in", ".hpp", ".hxx", ".inc", ".inl", ".macro"]
 FILTER_REGEX_EXCLUDE: (codeQA/|Upgrade/)
+ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: [GITHUB_TOKEN]