diff --git a/ci.yml b/ci.yml
new file mode 100644
index 0000000..99d5543
--- /dev/null
+++ b/ci.yml
@@ -0,0 +1,118 @@
+name: CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+env:
+  PYTHON_VERSION: "3.11"
+  # Used by tests / alembic; matches docker-compose-style DSN
+  TEST_POSTGRES_DSN: postgresql+asyncpg://postgres:postgres@localhost:5432/keywarden
+
+jobs:
+  lint:
+    name: Lint & Format
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Install linters
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff==0.6.4 black==24.8.0
+
+      - name: Ruff (lint)
+        run: ruff check .
+
+      - name: Black (format check)
+        run: black --check .
+
+  test:
+    name: Tests (Pytest + Alembic + Postgres)
+    runs-on: ubuntu-latest
+    needs: lint
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_DB: keywarden
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd="pg_isready -U postgres -d keywarden"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache pip
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: pip-${{ runner.os }}-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            pip-${{ runner.os }}-${{ env.PYTHON_VERSION }}-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Create .env for tests
+        run: |
+          printf "KEYWARDEN_POSTGRES_DSN=%s\nKEYWARDEN_SECRET_KEY=%s\nKEYWARDEN_ACCESS_TOKEN_EXPIRE_MINUTES=60\n" \
+            "${{ env.TEST_POSTGRES_DSN }}" "testsecret" > .env
+          echo "Wrote .env with DSN=${{ env.TEST_POSTGRES_DSN }}"
+
+      - name: Run Alembic migrations
+        env:
+          KEYWARDEN_POSTGRES_DSN: ${{ env.TEST_POSTGRES_DSN }}
+        run: |
+          alembic upgrade head
+
+      - name: Pytest
+        env:
+          KEYWARDEN_POSTGRES_DSN: ${{ env.TEST_POSTGRES_DSN }}
+        run: |
+          pytest -q
+
+  docker-build:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image (no push)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: keywarden:ci
+          # speeds up builds by caching layers on GH Actions
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
\ No newline at end of file