diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
new file mode 100644
index 00000000..1f3caf94
--- /dev/null
+++ b/.github/workflows/audit.yaml
@@ -0,0 +1,41 @@
+name: 🔍 Audit
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: '0 6 * * WED' # At 06:00 AM, only on Wednesday
+  workflow_dispatch:
+
+jobs:
+  audit:
+    name: Vulnerability audit
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Set up runner
+        uses: ./.github/actions/setup-runner
+
+      - name: Get latest release tag
+        id: release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          tag=$(gh release view --repo ${{ github.repository }} --json tagName --jq '.tagName')
+          echo "tag=$tag" >> $GITHUB_OUTPUT
+
+      - name: Checkout latest release
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ steps.release.outputs.tag }}
+
+      # From https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
+      # NU1900:	Error communicating with package source, while getting vulnerability information.
+      # NU1901:	Package with low severity detected
+      # NU1902:	Package with moderate severity detected
+      # NU1903:	Package with high severity detected
+      # NU1904:	Package with critical severity detected
+      # NU1905:	An audit source does not provide a vulnerability database
+      - name: Audit
+        run: >
+          dotnet restore Drift.sln -p:WarningsAsErrors='"NU1900;NU1901;NU1902;NU1903;NU1904;NU1905"'
diff --git a/Drift.sln b/Drift.sln
index d29c2422..59537d88 100644
--- a/Drift.sln
+++ b/Drift.sln
@@ -61,6 +61,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Workflows", "Workflows", "{
 		.github\workflows\ci.yaml = .github\workflows\ci.yaml
 		.github\workflows\release.yaml = .github\workflows\release.yaml
 		.github\workflows\prerelease.yaml = .github\workflows\prerelease.yaml
+		.github\workflows\audit.yaml = .github\workflows\audit.yaml
+		.github\workflows\renovate.yaml = .github\workflows\renovate.yaml
+		.github\workflows\codeql.yml = .github\workflows\codeql.yml
 	EndProjectSection
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Cli.E2ETests.Abstractions", "src\Cli.E2ETests.Abstractions\Cli.E2ETests.Abstractions.csproj", "{A2CE629F-8D56-4539-9642-C31B550F7C30}"