diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..16d650e
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,86 @@
+# Continuous Integration Workflow
+#
+# Validates code quality and correctness on every pull request and push to
+# main.
+#
+# The test job runs the test suite across multiple Go versions (stable and
+# oldstable) with race detection enabled to catch concurrency issues.
+#
+# The lint job performs automated code quality checks using golangci-lint to
+# catch common issues and style violations.
+
+name: "🚦 Integration"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: "🧪 Testing"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go-version: [stable, oldstable]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Build
+        run: go build ./...
+
+      - name: Test
+        run: go test -v -race ./...
+
+  lint:
+    name: "🌡️ Linting"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: stable
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: latest
+
+  govulncheck:
+    name: "🛡️ Vulnerability Scanning"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: stable
+          output-format: sarif
+          output-file: results.sarif
+
+      - name: Upload SARIF to Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: govulncheck
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 0000000..b39ec52
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,15 @@
+# Golangci-lint Configuration
+#
+# Golangci-lint can be used with zero configuration, relying on sensible
+# defaults. This file exists as a signal to future maintainers that linting
+# is part of the development workflow.
+#
+# When configuration becomes necessary, consult these resources:
+#
+# Configuration File Reference (includes link to latest full reference file):
+#   <https://golangci-lint.run/docs/configuration/file>
+#
+# Available Linters (click any linter to see its specific configuration):
+#   <https://golangci-lint.run/docs/linters>
+
+version: "2"
diff --git a/README.md b/README.md
index 52284a3..f1c33ac 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 # v2-experiment
 
+[![CI](https://github.com/go-digitaltwin/v2-experiment/actions/workflows/ci.yml/badge.svg)](https://github.com/go-digitaltwin/v2-experiment/actions/workflows/ci.yml)
+
 A digital twin framework for event-driven systems in Go.
 
 **Input at runtime**: domain-specific deltas (partial updates describing