diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..e2e0bd2
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,30 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    groups:
+      drizzle:
+        patterns: ["drizzle-orm", "drizzle-kit", "@types/pg"]
+      tooling:
+        patterns: ["typescript", "@types/*", "tsx", "turbo", "eslint*"]
+      runtime:
+        patterns: ["viem", "alloy*", "@hono/*", "hono", "ioredis", "pg"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: "docker"
+    directory: "/apps/api"
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: "docker"
+    directory: "/apps/indexer"
+    schedule:
+      interval: "monthly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..2253827
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,69 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: typecheck + build (turbo)
+    runs-on: ubuntu-22.04
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_PASSWORD: ci
+          POSTGRES_DB: sentrix_ci
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9.12.0
+          run_install: false
+
+      - name: Setup Node 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+
+      - name: Install deps
+        run: pnpm install --frozen-lockfile
+
+      - name: Turbo typecheck
+        run: pnpm turbo typecheck --concurrency=4
+
+      - name: Turbo build
+        run: pnpm turbo build --concurrency=4
+
+      - name: drizzle-kit generate (no diff = migrations in sync)
+        env:
+          DATABASE_URL: postgres://postgres:ci@localhost:5432/sentrix_ci
+        run: |
+          if [ -f packages/db/drizzle.config.ts ]; then
+            cd packages/db && pnpm exec drizzle-kit check 2>&1 || echo "::warning::drizzle-kit check failed (non-blocking)"
+          fi
+
+  docker:
+    name: docker images build
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v5
+      - name: Build api image
+        run: docker build -f apps/api/Dockerfile -t indexer-api:ci .
+      - name: Build indexer image
+        run: docker build -f apps/indexer/Dockerfile -t indexer-worker:ci .
diff --git a/.github/workflows/owner-auto-merge.yml b/.github/workflows/owner-auto-merge.yml
new file mode 100644
index 0000000..fe274ba
--- /dev/null
+++ b/.github/workflows/owner-auto-merge.yml
@@ -0,0 +1,27 @@
+name: Owner auto-merge
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  enable-auto-merge:
+    runs-on: ubuntu-22.04
+    if: >
+      github.event.pull_request.user.login == 'satyakwok' &&
+      github.event.pull_request.draft == false
+    steps:
+      - name: Enable auto-merge (squash) for owner PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          set -e
+          gh pr merge --auto --squash "$PR_URL" || {
+            echo "::warning::auto-merge enable returned non-zero — PR may already be merged, conflicted, or have auto-merge already enabled."
+            exit 0
+          }