diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..eb4c390
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,16 @@
+name: Lint workflow files
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  actionlint:
+    uses: fac/hermod/.github/workflows/actionlint.yml@master
+    secrets: inherit
diff --git a/Brewfile b/Brewfile
index e3462e1..cf1d205 100644
--- a/Brewfile
+++ b/Brewfile
@@ -1 +1,2 @@
+brew 'actionlint'
 brew 'lefthook'
diff --git a/README.md b/README.md
index 32bc4bf..20da3d3 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ config.all_sso_sessions
 ## Making a commit
 [Lefthook](https://github.com/evilmartians/lefthook/) has [been configured](./lefthook.yml) with pre-commit checks to:
 - run `rubocop` for any `ruby` files
+- run `actionlint` for any GitHub workflow files
 
 If for some reason it's necessary, it's possible to temporarily skip `lefthook` with: `LEFTHOOK=0 git commit`.
 
diff --git a/lefthook.yml b/lefthook.yml
index 14e15fd..6faa58f 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -3,6 +3,9 @@
 pre-commit:
   parallel: true
   commands:
+    actionlint:
+      glob: ".github/workflows/*.{yml,yaml}"
+      run: actionlint {staged_files}
     ruby-lint:
       glob: "*.rb"
       run: bundle exec rubocop {staged_files}