diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..50e50eb
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    labels: [dependencies, ci]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..42c72ee
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,27 @@
+name: CI
+on:
+  push:
+    branches: [main, dev, 'feat/**', 'fix/**']
+  pull_request:
+    branches: [main, dev]
+jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    container:
+      image: debian:trixie-slim
+    steps:
+      - run: apt-get update && apt-get install -y --no-install-recommends ca-certificates git shellcheck
+      - uses: actions/checkout@v6
+      - run: find . -name '*.sh' -exec shellcheck --severity=warning {} +
+
+  ansible-lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    container:
+      image: python:3.13-slim
+    steps:
+      - run: apt-get update && apt-get install -y --no-install-recommends git
+      - uses: actions/checkout@v6
+      - run: pip install --no-cache-dir ansible-lint
+      - run: ansible-lint . --profile=production