diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..bd8dc984
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,12 @@
+# Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # We require SHA-pinning for all workflows and actions _except_ for those from
+        # rapidsai/shared-workflows and rapidsai/shared-actions
+        "rapidsai/shared-workflows/*": any
+        "rapidsai/shared-actions/*": any
+        "actions/*": ref-pin
+        "*": hash-pin
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 26553360..9aae81a3 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -24,7 +24,7 @@ export LINUX_VER=ubuntu24.04
 export PYTHON_VER=3.14
 
 # RAPIDS version in {major}.{minor}
-export RAPIDS_VER=26.04
+export RAPIDS_VER=26.06
 
 # rapidsai/base
 docker build $(ci/compute-build-args.sh) \
diff --git a/ci/release/update-version.sh b/ci/release/update-version.sh
index b342266c..d480f942 100755
--- a/ci/release/update-version.sh
+++ b/ci/release/update-version.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright (c) 2023-2025, NVIDIA CORPORATION.
+# Copyright (c) 2023-2026, NVIDIA CORPORATION.
 
 ## Usage
 # Primary interface:   bash update-version.sh <new_version> [--run-context=main|release]
@@ -100,6 +100,10 @@ sed_runner "s/com\.nvidia\.workbench\.image-version=.*/com.nvidia.workbench.imag
 sed_runner "s|ARG RAPIDS_BRANCH=\"release/[0-9]\+\.[0-9]\+\"|ARG RAPIDS_BRANCH=\"${RAPIDS_BRANCH_NAME}\"|g" Dockerfile
 sed_runner "s|ARG RAPIDS_BRANCH=\"main\"|ARG RAPIDS_BRANCH=\"${RAPIDS_BRANCH_NAME}\"|g" Dockerfile
 
+# docs
+sed_runner "s|RAPIDS_VER=[[:digit:]]\+\.[[:digit:]]|RAPIDS_VER=${NEXT_SHORT_TAG}|g" CONTRIBUTING.md
+sed_runner "s|[[:digit:]]\+\.[[:digit:]]-cuda|${NEXT_SHORT_TAG}-cuda|g" SECURITY.md
+
 # CI files
 for FILE in .github/workflows/*.yaml .github/workflows/*.yml; do
   sed_runner "/shared-workflows/ s|@.*|@${WORKFLOW_BRANCH_REF}|g" "${FILE}"
diff --git a/context/scripts/configure-conda-base-environment b/context/scripts/configure-conda-base-environment
index 34f87531..24e5c8e9 100755
--- a/context/scripts/configure-conda-base-environment
+++ b/context/scripts/configure-conda-base-environment
@@ -34,6 +34,11 @@ if [[ "$PYTHON_VERSION_PADDED" > "3.12" ]]; then
 else
     PYTHON_ABI_TAG="cpython"
 fi
+
+# force-reinstall 'conda' first, to clear out any files left behind from updates
+rapids-conda-retry install -y -n base --force-reinstall 'conda>=26.5.0'
+
+# update Python in the environment
 rapids-conda-retry install -y -n base "python>=${PYTHON_VERSION},<${PYTHON_UPPER_BOUND}=*_${PYTHON_ABI_TAG}"
 rapids-conda-retry update --all -y -n base
 find /opt/conda -follow -type f -name '*.a' -delete