diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..b33ca79
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,60 @@
+name: CI
+
+run-name: >-
+  ${{ github.event_name == 'pull_request'
+  && format('CI · PR #{0} · {1} · @{2}', github.event.pull_request.number, github.event.pull_request.head.ref, github.actor)
+  || format('CI · push {0} · @{1}', github.ref_name, github.actor) }}
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  check:
+    name: macOS / make check
+    if: github.repository == 'apple/coreai-optimization'
+    runs-on: [self-hosted, macos, tahoe, ARM64]
+    timeout-minutes: 30
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          fetch-depth: 0
+      - name: Install uv
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: false
+      - name: Run `make check`
+        run: make check
+
+  macos-tests:
+    name: macOS / make test-highest-pytorch / markers=not-slow
+    needs: [check]
+    if: github.repository == 'apple/coreai-optimization'
+    runs-on: [self-hosted, macos, tahoe, ARM64]
+    timeout-minutes: 60
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Install uv
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: false
+      - name: Run `make test-highest-pytorch`
+        run: make test-highest-pytorch PYTEST_ARGS="--marker 'not slow' --junit"
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: test-results-macos-highest-fast
+          path: test-results/
diff --git a/configs/darker.toml b/configs/darker.toml
index e882829..b1bb3dc 100644
--- a/configs/darker.toml
+++ b/configs/darker.toml
@@ -5,5 +5,5 @@ formatter = "ruff"
 # We concluded that 88 is too restrictive for some use cases, so we use 100
 # Darker should override tool.ruff, but does not
 line-length = 100
-revision = "main"
+revision = "origin/main..."
 target-version = "py311"
diff --git a/pyproject.toml b/pyproject.toml
index 8dd045c..33537b1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [build-system]
 build-backend = "setuptools.build_meta"
-requires = [ "setuptools>=42", "wheel" ]
+requires = [ "setuptools>=42" ]
 
 [project]
 name = "coreai-opt"
@@ -177,6 +177,11 @@ environments = [
     "sys_platform == 'darwin' and platform_machine == 'arm64'",
     "sys_platform == 'linux' and platform_machine == 'x86_64'",
 ]
+# Security: only install distributions on PyPI for at least 3 days, giving
+# malicious uploads time to be detected and yanked before they reach CI.
+# coreai-core/coreai-torch are exempted (false) so CI tests their latest releases.
+exclude-newer = "3 days"
+exclude-newer-package = { coreai-core = false, coreai-torch = false }
 # Declare conflicting groups so uv does not error
 conflicts = [
     [