diff --git a/.github/workflows/ci-docs.yml b/.github/workflows/ci-docs.yml
new file mode 100644
index 000000000..0a28f1d7e
--- /dev/null
+++ b/.github/workflows/ci-docs.yml
@@ -0,0 +1,19 @@
+name: CI Documentation Checks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  lint-markdown:
+    name: Lint markdown
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # This is the GitHub Actions-friendly port of the linter used in the Makefile.
+      - uses: gaurav-nelson/github-action-markdown-link-check@1.0.15
+        with:
+          use-quiet-mode: "yes" # errors only.
+          config-file: ".github/workflows/markdownlint-config.json"
diff --git a/.github/workflows/ci-infra.yml b/.github/workflows/ci-infra.yml
new file mode 100644
index 000000000..24b9b5cf2
--- /dev/null
+++ b/.github/workflows/ci-infra.yml
@@ -0,0 +1,89 @@
+name: CI Infra Checks
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - bin/**
+      - infra/**
+      - .github/workflows/**
+  pull_request:
+    paths:
+      - bin/**
+      - infra/**
+      - .github/workflows/**
+
+jobs:
+  lint-github-actions:
+    # Lint github actions files using https://github.com/rhysd/actionlint
+    # This job configuration is largely copied from https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
+    name: Lint GitHub Actions workflows
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash
+  lint-scripts:
+    name: Lint scripts
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Shellcheck
+        run: make infra-lint-scripts
+  check-terraform-format:
+    name: Check Terraform format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Run infra-lint-terraform
+        run: |
+          echo "If this fails, run 'make infra-format'"
+          make infra-lint-terraform
+  validate-terraform:
+    name: Validate Terraform modules
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-terraform
+      - name: Validate
+        run: make infra-validate-modules
+  check-compliance-with-checkov:
+    name: Check compliance with checkov
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - name: Run Checkov check
+        # Pin to specific checkov version rather than running from checkov@master
+        # since checkov frequently adds new checks that can cause CI checks to fail unpredictably.
+        # There is currently no way to specify the checkov version to pin to (See https://github.com/bridgecrewio/checkov-action/issues/41)
+        # so we need to pin the version of the checkov-action, which indirectly pins the checkov version.
+        # In this case, checkov-action v12.2296.0 is mapped to checkov v2.3.194.
+        uses: bridgecrewio/checkov-action@v12.2296.0
+        with:
+          directory: infra
+          framework: terraform
+          quiet: true # only displays failed checks
+  check-compliance-with-tfsec:
+    name: Check compliance with tfsec
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tfsec check
+        uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
+        with:
+          github_token: ${{ github.token }}