diff --git a/.github/workflows/policy.yml b/.github/workflows/policy.yml
new file mode 100644
index 0000000..0f8f3e0
--- /dev/null
+++ b/.github/workflows/policy.yml
@@ -0,0 +1,75 @@
+name: Policy
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  lint:
+    # Deduplicate jobs from pull requests and branch pushes within the same repo.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4.1.2
+
+      - name: Setup Regal
+        uses: StyraInc/setup-regal@v1.0.0
+        with:
+          version: latest
+
+      - name: Lint
+        run: regal lint --format github ./policy
+
+  test:
+    # Deduplicate jobs from pull requests and branch pushes within the same repo.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4.1.2
+
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2.2.0
+        with:
+          version: latest
+
+      - name: Test
+        run: opa test ./policy -v
+
+  build_bundle:
+    needs:
+      - lint
+      - test
+    # Deduplicate jobs from pull requests and branch pushes within the same repo.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4.1.2
+
+      - name: Generate Image Name
+        run: echo IMAGE_REPOSITORY=ghcr.io/$(echo "${{ github.repository }}-policy" | tr '[:upper:]' '[:lower:]' | tr '[_]' '[\-]') >> $GITHUB_ENV
+
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v3.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2.2.0
+        with:
+          version: latest
+      
+      - name: Build OPA Policy  # If this is a tag, use it as a revision string
+        run: opa build -b org-policy -r ${{ github.ref_name }} --ignore *_test.rego
+
+      - name: Publish OPA Bundle
+        if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
+        run: oras push ${{ env.IMAGE_REPOSITORY }}:${{ github.ref_name }} bundle.tar.gz:application/vnd.oci.image.layer.v1.tar+gzip
+