diff --git a/.github/workflows/determinism-check.yml b/.github/workflows/determinism-check.yml
new file mode 100644
index 0000000..0fe3616
--- /dev/null
+++ b/.github/workflows/determinism-check.yml
@@ -0,0 +1,31 @@
+name: Determinism Check
+on:
+  push:
+    branches: [ main ]
+permissions:
+  contents: read
+jobs:
+  determinism:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Hard clean
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -ffd
+      - name: Verify clean workspace
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -z "$(git status --porcelain=v1)"
+          git diff --exit-code
+          git submodule status || true
+      - name: Determinism marker
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "determinism: ok"
diff --git a/.github/workflows/identity.yml b/.github/workflows/identity.yml
new file mode 100644
index 0000000..5383a97
--- /dev/null
+++ b/.github/workflows/identity.yml
@@ -0,0 +1,20 @@
+name: identity
+on:
+  push:
+    branches: [ main ]
+permissions:
+  contents: read
+jobs:
+  identity:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Actor/Ref assertion
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "actor=${GITHUB_ACTOR}"
+          echo "ref=${GITHUB_REF}"
+          echo "sha=${GITHUB_SHA}"